CN111143182B - Analysis method, device and storage medium for process behavior - Google Patents
Analysis method, device and storage medium for process behavior Download PDFInfo
- Publication number
- CN111143182B CN111143182B CN201911379473.6A CN201911379473A CN111143182B CN 111143182 B CN111143182 B CN 111143182B CN 201911379473 A CN201911379473 A CN 201911379473A CN 111143182 B CN111143182 B CN 111143182B
- Authority
- CN
- China
- Prior art keywords
- api
- current
- writing
- behavior
- parameter
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000000034 method Methods 0.000 title claims abstract description 208
- 230000008569 process Effects 0.000 title claims abstract description 187
- 238000004458 analytical method Methods 0.000 title claims abstract description 93
- 230000006399 behavior Effects 0.000 claims abstract description 174
- 238000012544 monitoring process Methods 0.000 claims abstract description 86
- 230000008859 change Effects 0.000 claims description 6
- 238000007619 statistical method Methods 0.000 claims 1
- 238000010586 diagram Methods 0.000 description 9
- 238000004590 computer program Methods 0.000 description 7
- 230000006870 function Effects 0.000 description 4
- 230000006837 decompression Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000003542 behavioural effect Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000007493 shaping process Methods 0.000 description 1
- 238000004804 winding Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/34—Recording or statistical evaluation of computer activity, e.g. of down time, of input/output operation ; Recording or statistical evaluation of user activity, e.g. usability assessment
- G06F11/3452—Performance evaluation by statistical analysis
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/302—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/25—Integrating or interfacing systems involving database management systems
- G06F16/258—Data format conversion from or to a database
Abstract
The invention discloses a method, a device and a storage medium for analyzing process behaviors, which are used for solving the technical problem of lower efficiency of process behavior analysis in the prior art, and the method comprises the following steps: acquiring monitoring data for monitoring a preset process; writing the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior; when the behavior analysis is carried out on the preset process, the monitoring data are read from the behavior record file, and the analysis and the process behavior statistics are carried out on the monitoring data, so that a process behavior analysis result of the preset process is obtained.
Description
Technical Field
The present invention relates to the field of computer security technologies, and in particular, to a method and apparatus for analyzing process behavior, and a storage medium.
Background
In the field of computer security technology, computer security technicians increasingly employ process behavior to analyze program code and employ corresponding security precautions according to analysis structures.
In the prior art, a system for performing process behavior analysis generally includes a monitoring module, an analysis module and a database, where the monitoring module is used to monitor a specific process and store obtained monitoring data into the database, and the analysis module reads the monitoring data from the database to perform analysis and output an analysis result.
However, when the analysis module performs behavior analysis on the process, all relevant processes of the process are comprehensively analyzed. The analysis module needs to read a huge amount of data from the database, and then conduct behavior analysis on the process, so that analysis efficiency is reduced.
In general, in the process of performing process behavior analysis, the process analysis process is time-consuming, and the monitoring process records a large amount of data, which may result in data loss or reduced monitoring efficiency if not handled in time. In order to avoid these problems, in the prior art, monitoring data obtained by monitoring is usually stored in a database, and the monitoring data is read from the database in time sequence for analysis when performing behavior analysis.
However, this causes a new problem in that the amount of the monitoring data is very large, and a large amount of storage space is occupied.
In view of this, how to effectively improve the efficiency of behavioral analysis on a process is a technical problem to be solved.
Disclosure of Invention
The invention provides a method, a device and a storage medium for analyzing process behaviors, which are used for solving the technical problem of low process behavior analysis efficiency in the prior art.
In order to solve the above technical problems, a technical solution of a process behavior analysis method provided by an embodiment of the present invention is as follows:
acquiring monitoring data for monitoring a preset process;
writing the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior;
when the behavior analysis is carried out on the preset process, the monitoring data are read from the behavior record file, and the analysis and the process behavior statistics are carried out on the monitoring data, so that a process behavior analysis result of the preset process is obtained.
The process of importing and exporting binary data from the database can be omitted by writing the monitoring data of the preset process into the behavior record file, the monitoring data is directly read from the behavior record file and analyzed when the behavior analysis is carried out on the preset process, the analyzed data is placed in the memory for the subsequent behavior analysis of the preset process to obtain a process behavior analysis result, and the time and the storage space occupied in the whole process behavior analysis process are reduced because the read-write speed of the memory is much faster than the importing and exporting speed of the database, so that the efficiency of carrying out the behavior analysis on the process is effectively improved.
Optionally, writing the monitoring data into a behavior record file includes:
writing the running environment information of the preset process and the version information of the behavior record file into a file header of the behavior record file;
and writing a plurality of Application Programming Interfaces (APIs) called by the preset process into an API record of the behavior record file.
Optionally, writing the running environment information of the preset process and the version information of the behavior record file into a file header of the behavior record file includes:
writing the identification of the behavior record file into the zone bit of the file head;
writing the file version adopted by the behavior record file into the file version information of the file header;
writing system architecture information adopted by the running environment of the preset process into a target architecture of the file header;
and writing version information of a system supported by the running environment of the preset process into a system version of the file header.
Optionally, writing the multiple application programming interfaces APIs called by the preset process into the API record of the behavior record file includes:
executing the following operations aiming at the current API called by the preset process:
Writing the type of the current API and whether the calling time of the current API is the same as that of the previous API or not, wherein the API mark information of the API record of the current API;
writing the time difference between the current API and the previous API into the API reference information of the API record of the current API;
and writing the parameters of the current bar API into the API parameters of the API record of the current bar API.
Optionally, writing the type of the current API and the call time of the previous API, where the API flag information of the API record of the current API includes:
if the current API is different from the process PID or the thread TID of the previous API, when the length of the PID or the TID value is more than 16 bits, writing 1 into the PID & TID bit of the API mark information, otherwise writing 0 into the PID & TID bit;
if the PID of the current API is the same as that of the previous API, writing 1 into the PID flag bit of the API flag information, otherwise writing 0 into the PID flag bit;
if the TID of the current API is the same as that of the previous API, writing 1 into the TID zone bit of the API zone information, otherwise writing 0 into the TID zone bit;
writing a storage space occupied by the time difference between the current API and the previous API into a time stamp zone bit of the API zone information, wherein the time stamp zone bit occupies 2 binary bits;
Writing the architecture mode supported by the system where the preset process is located into the sub-architecture flag bit of the API flag information, wherein 0 represents a default mode and 1 represents a compatible mode;
and if the API ID of the current API is the same as that of the previous API, writing 1 into the API flag bit of the API flag information, otherwise writing 0 into the API flag bit.
Optionally, writing the API reference information of the API record of the current API according to the time difference between the current API and the previous API, including:
writing the time difference between the current API and the previous API to the time stamp data value of the API reference information;
if the PID values of the current API and the previous API are the same, the PID data value of the API reference information is null, otherwise, the PID value of the current API is written into the PID data value;
if the TID value of the current API is the same as that of the previous API, the TID data value of the API reference information is null, otherwise, the TID value of the current API is written into the TID data value;
and if the API ID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the API ID value of the current API is written into the API ID data value.
Optionally, writing the parameters of the current API to the API parameters of the API record of the current API includes:
if the parameters of the current API are parameters with storage types, writing 0 into an API parameter storage type mark of the API parameters, otherwise writing 1 into the API parameter storage type mark;
and writing the parameter value of the current API into the API parameter ID value of the API parameter.
Optionally, if the parameter of the current API is a parameter with a storage type, the method further includes:
if the parameter is the embedded storage type, writing 0 into an embedded or extended storage type flag bit of the API parameter;
and if the parameter is of an extended storage type, writing 1 into the embedded or extended storage type flag bit.
In a second aspect, an embodiment of the present invention provides an apparatus for process behavior analysis, including:
the acquisition unit is used for acquiring monitoring data for monitoring a preset process;
the writing unit is used for writing the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior;
and the behavior analysis unit is used for reading the monitoring data from the behavior record file when the behavior analysis is carried out on the preset process, analyzing the monitoring data and carrying out process behavior statistics to obtain a process behavior analysis result of the preset process.
Optionally, the writing unit is configured to:
writing the running environment information of the preset process and the version information of the behavior record file into a file header of the behavior record file;
and writing a plurality of Application Programming Interfaces (APIs) called by the preset process into an API record of the behavior record file.
Optionally, the writing unit is configured to:
writing the identification of the behavior record file into the zone bit of the file head;
writing the file version adopted by the behavior record file into the file version information of the file header;
writing system architecture information adopted by the running environment of the preset process into a target architecture of the file header;
and writing version information of a system supported by the running environment of the preset process into a system version of the file header.
Optionally, the writing unit is configured to:
executing the following operations aiming at the current API called by the preset process:
writing the type of the current API and whether the calling time of the current API is the same as that of the previous API or not, wherein the API mark information of the API record of the current API;
writing the time difference between the current API and the previous API into the API reference information of the API record of the current API;
And writing the parameters of the current bar API into the API parameters of the API record of the current bar API.
Optionally, the writing unit is configured to:
if the current API is different from the process PID or the thread TID of the previous API, when the length of the PID or the TID value is more than 16 bits, writing 1 into the PID & TID bit of the API mark information, otherwise writing 0 into the PID & TID bit;
if the PID of the current API is the same as that of the previous API, writing 1 into the PID flag bit of the API flag information, otherwise writing 0 into the PID flag bit;
if the TID of the current API is the same as that of the previous API, writing 1 into the TID zone bit of the API zone information, otherwise writing 0 into the TID zone bit;
writing a storage space occupied by the time difference between the current API and the previous API into a time stamp zone bit of the API zone information, wherein the time stamp zone bit occupies 2 binary bits;
writing the architecture mode supported by the system where the preset process is located into the sub-architecture flag bit of the API flag information, wherein 0 represents a default mode and 1 represents a compatible mode;
and if the API ID of the current API is the same as that of the previous API, writing 1 into the API flag bit of the API flag information, otherwise writing 0 into the API flag bit.
Optionally, the writing unit is configured to:
writing the time difference between the current API and the previous API to the time stamp data value of the API reference information;
if the PID values of the current API and the previous API are the same, the PID data value of the API reference information is null, otherwise, the PID value of the current API is written into the PID data value;
if the TID value of the current API is the same as that of the previous API, the TID data value of the API reference information is null, otherwise, the TID value of the current API is written into the TID data value;
and if the API ID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the API ID value of the current API is written into the API ID data value.
Optionally, the writing unit is configured to:
if the parameters of the current API are parameters with storage types, writing 0 into an API parameter storage type mark of the API parameters, otherwise writing 1 into the API parameter storage type mark;
and writing the parameter value of the current API into the API parameter ID value of the API parameter.
Optionally, the writing unit is configured to:
if the parameter is the embedded storage type, writing 0 into an embedded or extended storage type flag bit of the API parameter;
And if the parameter is of an extended storage type, writing 1 into the embedded or extended storage type flag bit.
In a third aspect, an embodiment of the present invention further provides an apparatus for process behavior analysis, including:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of the first aspect described above by executing the instructions stored by the memory.
In a fourth aspect, embodiments of the present invention also provide a computer-readable storage medium, including:
the computer readable storage medium stores computer instructions which, when run on a computer, cause the computer to perform the method as described in the first aspect above.
Through the technical scheme in the one or more embodiments of the present invention, the embodiments of the present invention have at least the following technical effects:
in the embodiment provided by the invention, the process of importing and exporting binary data from the database can be omitted by writing the monitoring data of the preset process into the behavior record file, the monitoring data is directly read from the behavior record file and analyzed when the behavior analysis is carried out on the preset process, the analyzed data is placed in the memory for the subsequent behavior analysis on the preset process to obtain the process behavior analysis result, and the time and the storage space occupied in the whole process behavior analysis process are reduced because the read-write speed of the memory is much faster than the importing and exporting speed of the database, so that the behavior analysis efficiency of the process is effectively improved.
Drawings
FIG. 1 is a flowchart of a process behavior analysis method according to an embodiment of the present application;
FIG. 2 is a schematic diagram of a behavior record file according to an embodiment of the present application;
fig. 3 is a schematic structural diagram of a process behavior analysis device according to an embodiment of the present application.
Detailed Description
The embodiment of the application provides a method, a device and a storage medium for analyzing process behaviors, which are used for solving the technical problem of low process behavior analysis efficiency in the prior art.
The technical scheme in the embodiment of the application aims to solve the technical problems, and the overall thought is as follows:
the method for analyzing the process behavior comprises the following steps: acquiring monitoring data for monitoring a preset process; writing the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior; when the behavior analysis is carried out on the preset process, the monitoring data are read from the behavior record file, and the analysis and the process behavior statistics are carried out on the monitoring data, so that a process behavior analysis result of the preset process is obtained.
In the scheme, the process of importing and exporting binary data from the database can be omitted by writing the monitoring data of the preset process into the behavior record file, the monitoring data is directly read from the behavior record file and analyzed when the behavior analysis is carried out on the preset process, the analyzed data is placed in the memory for the subsequent behavior analysis on the preset process to obtain the process behavior analysis result, and the time and the storage space occupied in the whole process behavior analysis process are reduced because the read-write speed of the memory is much faster than the importing and exporting speed of the database, so that the behavior analysis efficiency of the process is effectively improved.
In order to better understand the above technical solutions, the following detailed description of the technical solutions of the present invention is made by using the accompanying drawings and specific embodiments, and it should be understood that the specific features of the embodiments and the embodiments of the present invention are detailed descriptions of the technical solutions of the present invention, and not limiting the technical solutions of the present invention, and the technical features of the embodiments and the embodiments of the present invention may be combined with each other without conflict.
Referring to fig. 1, an embodiment of the present invention provides a method for analyzing process behavior, and the processing procedure of the method is as follows.
Step 101: and acquiring monitoring data for monitoring the preset process.
In the embodiment of the invention, the preset process can be an Application program interface (Application ProgrammingInterface, API) call operation related to the safety related and system key data operation in the operating system, and when the preset process is monitored, breakpoints can be set at the head and tail of an API related to the safety related and system key data operation in the operating system; and triggering monitoring according to the set breakpoint, and recording parameter values at the calling start and return positions of the API interface as monitoring data, wherein the parameter values are used as original data for subsequent process behavior analysis.
It should be noted that, in the embodiment provided by the present invention, the monitoring of the process behavior may be a non-aware breakpoint monitoring technique, or may be any existing monitoring technique, which is not limited herein.
After the monitoring data is obtained, step 102 may be performed.
Step 102: writing the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior.
Fig. 2 is a schematic structural diagram of a behavior record file according to an embodiment of the present invention. The behavior record file mainly consists of two parts, including: a file header and a plurality of API records.
Specifically, the writing of the monitoring data into the behavior record file may be implemented in the following manner:
and writing the running environment information of the preset process and the version information of the behavior record file into the file header of the behavior record file.
And writing a plurality of APIs called by the preset process into an API record of the behavior record file.
In the behavior record file, the header includes:
the flag bit is the bin file header flag.
File version information, i.e., the version of the file employed by the behavior record file.
The target architecture is a system architecture adopted by the running environment of the preset process.
The "x86" architecture is denoted by "1", the "sub-architecture" by "2", the "arm" architecture by "3", and the "arm64" architecture by "4".
System version, i.e. the version of the system supported by the running environment of the preset process.
The system "Windows_NT_40" is denoted by "1", the system "Windows_NT_50" is denoted by "2", the system "Windows_NT_51" is denoted by "3", the system "Windows_NT_52" is denoted by "4", the system "Windows_NT_60" is denoted by "5", the system "Windows_NT_61" is denoted by "6", the system "Windows_NT_62" is denoted by "7", and the system "Windows_NT_X_1709" is denoted by "8".
Specifically, the running environment information of the preset process and the version information of the behavior record file are written into the file header of the behavior record file, and the following mode is adopted:
writing the identification of the behavior record file into the zone bit of the file head.
And writing the file version adopted by the behavior record file into file version information of the file header.
And writing system architecture information adopted by the running environment of the preset process into a target architecture of the file header.
And writing version information of a system supported by the running environment of the preset process into a system version of the file header.
In the behavior record file, each API record includes: API flag bit information, API reference information and API parameters.
Writing a plurality of Application Programming Interfaces (APIs) called by a preset process into an API record of a behavior record file, and executing the following operations aiming at a current API called by the preset process:
and writing the type of the current API and whether the calling time of the current API is the same as that of the previous API or not, wherein the API mark information is recorded by the API of the current API.
And writing the time difference between the current API and the previous API to be called into the API reference information of the API record of the current API.
And writing the parameters of the current strip API into the API parameters of the API record of the current strip API.
In the embodiment provided by the invention, the API zone bit information comprises the following steps in sequence from high order to low order:
extension flag bit: temporarily unused, and left for later use.
Process & thread (PID & TID) flag bit (1 bit): when 1, it indicates a PID or TID value using a 4B (32 bit) length (when PID or TID is present); when 0, it indicates that a PID or TID value of 2B (16 bit) length is used (when PID or TID is present).
PID flag bit (1 bit): if 1, the PID is the same as the PID recorded by the previous API; if the PID & TID flag bit is 0, reading integer data with the length of 4B (32 bits) as a PID value, and if the PID & TID flag bit is 0, reading integer data with the length of 2B (16 bits) as a PID value.
TID flag bit (1 bit): when the TID is 1, the TID is the same as the TID recorded by the previous API; if the PID is 0, if the TID flag bit is 1, reading integer data with the length of 4B (32 bits) as a TID value, and if the PID is 0, reading integer data with the length of 2B (16 bits) as a TID value.
Timestamp flag bit (2 bits): when 11, the relative time stamp is 1;
when the relative time stamp is 01, reading 1B (8 bit) integer data;
when the relative time stamp is 10, the read 4B (32 bit) shaping data is obtained;
at 00, the relative timestamp is 0, which is the same as the absolute timestamp value recorded in the previous paragraph.
Sub-architecture flag bit (1 bit): when the target architecture is 0, representing a mode supported by the default of the target architecture; when 1, a compatible supported mode is indicated. For example: if the target architecture is X64, then the flag bit is 0, indicating that X64 is 1, and the table is compatible with 32 bits.
API flag bit (1 bit): when 0, this record and the winding record are not the same API ID.
When 1 is obtained, the record and the record are the same API ID, and the record does not need to store the API ID value.
In the embodiment provided by the invention, the type of the current API and whether the calling time of the current API is the same as that of the previous API are written, and the API mark information recorded by the API of the current API is obtained by adopting the following modes:
If the current API is different from the process PID or the thread TID of the previous API, when the length of the PID or the TID value is larger than 16 bits, writing 1 into the PID & TID bit of the API mark information, otherwise writing 0 into the PID & TID bit.
And if the current API is the same as the PID of the previous API, writing 1 into the PID flag bit of the API flag information, otherwise writing 0 into the PID flag bit.
And if the TID of the current API is the same as that of the previous API, writing 1 into the TID zone bit of the API zone information, otherwise writing 0 into the TID zone bit.
And writing a time stamp zone bit of the API zone information into a storage space occupied by the time difference between the current API and the previous API, wherein the time stamp zone bit occupies 2 binary bits.
And writing the architecture mode supported by the system where the preset process is located into the sub-architecture flag bit of the API flag information, wherein 0 represents a default mode and 1 represents a compatible mode.
If the API ID of the current API is the same as that of the previous API, writing 1 into the API flag bit of the API flag information, otherwise writing 0 into the API flag bit.
In the embodiment provided by the invention, the API reference information sequentially comprises the following components from high order to low order:
timestamp data value: the relative time stamp represents the time difference between the present record and the last record. By recording the relative time differences, the data footprint can be reduced.
PID data value: depending on the flag bit, there may be no value (same as the previous record), or an integer of length 2B or 4B.
TID data value: depending on the flag bit, there may be no value (same as the previous record), or an integer of length 2B or 4B.
API ID value: depending on the flag bit, there may be no value (same as the previous record) or an integer of length 2B.
The time difference between the current API and the previous API is called is written into the API reference information of the API record of the current API, and the following mode can be adopted:
and writing the time difference between the current API and the previous API to be called into the time stamp data value of the API reference information.
If the PID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the PID value of the current API is written into the PID data value.
If the TID value of the current API is the same as that of the previous API, the TID data value of the API reference information is null, otherwise, the TID value of the current API is written into the TID data value.
If the API ID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the API ID value of the current API is written into the API ID data value.
In the embodiment provided by the invention, the API parameters sequentially comprise from high order to low order:
API parameter-store type flag bit (1 bit): 1, this parameter is of the type with storage; when the value is 0, the parameter has no storage type, and binary data can be directly stored (analyzed) according to the parameter type.
API parameter ID value (7 bit): a 7bit ID value is stored to uniquely identify the parameter type.
Referring to table 1, table 1 shows whether the parameter type data format is stored.
TABLE 1
When the API parameter is of a type with a storage type, there is still an 8bit flag bit to distinguish between different storage types.
At this time, the API parameters sequentially include, from high order to low order:
embedded or extended storage type flag bit (1 bit): when the parameter is 0, the parameter is an embedded storage type, and the 7bit at the back is parameter value data; when 1, the parameter is an extended storage type, and the parameter value needs to be stored (parsed) continuously according to different extended types.
As shown in table 2, a parameter type data format is stored for the embedded type.
TABLE 2
The following manner may be adopted to write the parameters of the current API into the API parameters of the API record of the current API:
if the parameters of the current API are parameters with storage types, writing 0 into the API parameter storage type mark of the API parameter, otherwise writing 1 into the API parameter storage type mark.
The parameter value of the current API is written into the API parameter ID value of the API parameter.
As shown in table 3, a parameter type data format is stored for extension.
TABLE 3 Table 3
If the parameters of the current API are parameters with storage types, the parameters may be written in the following manner:
if the parameter is the embedded storage type, writing 0 into the embedded or extended storage type flag bit of the API parameter.
If the parameter is the storage type of the expansion type, writing 1 into the embedded or expansion storage type flag bit.
For example, when the integer value of-1 is to be stored, in the prior art, 32 bits are unsigned integers, 0xFFFFFFFF needs to be written in the system, and a 32-bit storage space is required, while when the behavior record file provided by the embodiment of the invention is used for storing, only the embedded storage type 0x41 needs to be written, and the 8-bit storage space is occupied, and obviously, when the behavior record file provided by the embodiment of the invention is used for storing data, the occupation of the storage space can be effectively reduced. Because the data volume of the generated monitoring data (binary data) is very large when the process behavior is monitored, the behavior record file provided by the embodiment of the invention is used for recording the monitoring data, so that the occupation of the storage space can be effectively reduced, and the utilization rate of the storage space can be improved.
In the embodiment provided by the invention, the behavior record file is used for storing the monitoring data, so that richer parameter types can be stored, binary data bits are used more effectively, and for each monitoring data to be written into the behavior record file, the proper storage type can be selected according to the length of the monitoring data, thereby saving the occupation of storage space and improving the storage efficiency.
After the monitoring data is written to the behavior record file, step 103 may be performed.
Step 103: when the behavior analysis is carried out on the preset process, the monitoring data are read from the behavior record file, and the analysis and the process behavior statistics are carried out on the monitoring data, so that a process behavior analysis result of the preset process is obtained.
Decompression analysis is performed on the monitoring data, namely the reverse process of writing the monitoring data into the behavior record file, and the description is omitted herein for saving the space.
After decompression analysis is performed on the monitoring data, the monitoring data can be sequentially processed one by one according to a time sequence, namely, a handle, a process, a thread and the like in the monitoring process recorded in the monitoring data are dynamically simulated and reproduced, and the process change condition in the monitoring process is acquired, so that specific objects, such as operation objects, operation paths and the like, corresponding to the handle, the process, the thread and the like used in process behavior analysis are obtained, and the corresponding relation between the specific objects and the handle, the process and the thread is stored in corresponding virtual table entries, so that the virtual table entries record the handle, the process, the thread and the corresponding attributes created by the preset process, and the process behavior analysis result of the preset process is obtained.
In the embodiment provided by the invention, the monitoring data is stored by adopting the behavior record file, so that the process of importing and exporting binary data from the database is omitted, the monitoring data is parsed from the behavior record file and is put in the memory for the behavior of the subsequent analysis process when the behavior analysis is carried out on the monitoring data, and the time and the storage space occupied by the embodiment provided by the invention are smaller because the read-write speed of the memory is much faster than the importing and exporting speed of the database, thereby effectively improving the efficiency of the behavior analysis on the process.
After the process behavior analysis result of the preset process is obtained, the API (i.e. analysis result) focused by the preset process can be written into the database and used as source data for automatic generation of follow-up behavior rules, dynamic monitoring display and the like. And after the data are stored in the database, other presentable result files can be regenerated.
Note that, the API concerned is not all APIs, and the parameters recorded therein do not necessarily include all parameters.
In the embodiment provided by the invention, the analysis result is written into the database, so that the utilization rate of the analysis result can be improved, and the workload of researchers can be reduced.
Based on the same inventive concept, in an embodiment of the present invention, a device for process behavior analysis is provided, and a specific implementation of a process behavior analysis method of the device may refer to a description of an embodiment part of the method, and details are not repeated, and please refer to fig. 3, where the device includes:
an acquiring unit 301, configured to acquire monitoring data for monitoring a preset process;
a writing unit 302, configured to write the monitoring data into a behavior record file; the behavior record file is used for storing related data for monitoring the process behavior;
and the behavior analysis unit 303 is configured to read monitoring data from the behavior record file when performing behavior analysis on the preset process, and analyze and process behavior statistics on the monitoring data to obtain a process behavior analysis result of the preset process.
Optionally, the writing unit 302 is configured to:
writing the running environment information of the preset process and the version information of the behavior record file into a file header of the behavior record file;
and writing a plurality of Application Programming Interfaces (APIs) called by the preset process into an API record of the behavior record file.
Optionally, the writing unit 302 is configured to:
writing the identification of the behavior record file into the zone bit of the file head;
writing the file version adopted by the behavior record file into the file version information of the file header;
writing system architecture information adopted by the running environment of the preset process into a target architecture of the file header;
and writing version information of a system supported by the running environment of the preset process into a system version of the file header.
Optionally, the writing unit 302 is configured to:
executing the following operations aiming at the current API called by the preset process:
writing the type of the current API and whether the calling time of the current API is the same as that of the previous API or not, wherein the API mark information of the API record of the current API;
writing the time difference between the current API and the previous API into the API reference information of the API record of the current API;
and writing the parameters of the current bar API into the API parameters of the API record of the current bar API.
Optionally, the writing unit 302 is configured to:
if the current API is different from the process PID or the thread TID of the previous API, when the length of the PID or the TID value is more than 16 bits, writing 1 into the PID & TID bit of the API mark information, otherwise writing 0 into the PID & TID bit;
If the PID of the current API is the same as that of the previous API, writing 1 into the PID flag bit of the API flag information, otherwise writing 0 into the PID flag bit;
if the TID of the current API is the same as that of the previous API, writing 1 into the TID zone bit of the API zone information, otherwise writing 0 into the TID zone bit;
writing a storage space occupied by the time difference between the current API and the previous API into a time stamp zone bit of the API zone information, wherein the time stamp zone bit occupies 2 binary bits;
writing the architecture mode supported by the system where the preset process is located into the sub-architecture flag bit of the API flag information, wherein 0 represents a default mode and 1 represents a compatible mode;
and if the API ID of the current API is the same as that of the previous API, writing 1 into the API flag bit of the API flag information, otherwise writing 0 into the API flag bit.
Optionally, the writing unit 302 is configured to:
writing the time difference between the current API and the previous API to the time stamp data value of the API reference information;
if the PID values of the current API and the previous API are the same, the PID data value of the API reference information is null, otherwise, the PID value of the current API is written into the PID data value;
If the TID value of the current API is the same as that of the previous API, the TID data value of the API reference information is null, otherwise, the TID value of the current API is written into the TID data value;
and if the API ID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the API ID value of the current API is written into the API ID data value.
Optionally, the writing unit 302 is configured to:
if the parameters of the current API are parameters with storage types, writing 0 into an API parameter storage type mark of the API parameters, otherwise writing 1 into the API parameter storage type mark;
and writing the parameter value of the current API into the API parameter ID value of the API parameter.
Optionally, the writing unit 302 is configured to:
if the parameter is the embedded storage type, writing 0 into an embedded or extended storage type flag bit of the API parameter;
and if the parameter is of an extended storage type, writing 1 into the embedded or extended storage type flag bit.
Based on the same inventive concept, an embodiment of the present invention provides an apparatus for process behavior analysis, including: at least one processor, and
A memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor executing the process behavior analysis method as described above by executing the instructions stored by the memory.
Based on the same inventive concept, an embodiment of the present invention also provides a computer readable storage medium, including:
the computer readable storage medium stores computer instructions that, when executed on a computer, cause the computer to perform the process behavior analysis method as described above.
In the embodiment provided by the invention, the process of importing and exporting binary data from the database can be omitted by writing the monitoring data of the preset process into the behavior record file, the monitoring data is directly read from the behavior record file and analyzed when the behavior analysis is carried out on the preset process, the analyzed data is placed in the memory for the subsequent behavior analysis on the preset process to obtain the process behavior analysis result, and the time and the storage space occupied in the whole process behavior analysis process are reduced because the read-write speed of the memory is much faster than the importing and exporting speed of the database, so that the efficiency of carrying out the behavior analysis on the process is effectively improved.
It will be appreciated by those skilled in the art that embodiments of the present invention may be provided as a method, system, or computer program product. Accordingly, embodiments of the present invention may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the invention may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present invention are described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It will be apparent to those skilled in the art that various modifications and variations can be made to the present invention without departing from the spirit or scope of the invention. Thus, it is intended that the present invention also include such modifications and alterations insofar as they come within the scope of the appended claims or the equivalents thereof.
Claims (11)
1. A method for analyzing process behavior, comprising:
acquiring monitoring data for monitoring a plurality of Application Programming Interfaces (APIs) called by a preset process;
according to the relative change of the attribute corresponding value of the current API called by the preset process and the attribute corresponding to the previous API in the multi-API and the storage type of the parameter corresponding to the current API, encoding the monitoring data corresponding to the current API to obtain an API record of calling the current API by the preset process, and writing the API record corresponding to the current API into a behavior record file; the API records comprise the API parameters and parameter types corresponding to the API parameters, the storage types corresponding to the different parameter types of the API parameters are different, and the lengths occupied by the values corresponding to the API parameters of the different storage types are different;
when the behavior analysis is carried out on the preset process, each API record is read and analyzed from the behavior record file, the process behavior of the preset process is statistically analyzed according to the analyzed API records, and a process behavior analysis result of the preset process is obtained.
2. The analysis method according to claim 1, wherein according to the relative change of the attribute corresponding value of the current API and the previous API called by the preset process in the multiple APIs and the storage type of the parameter corresponding to the parameter value of the current API, encoding the monitoring data corresponding to the current API to obtain an API record of calling the current API by the preset process, and writing the API record corresponding to the current API into a behavior record file, the analysis method comprises:
Writing the running environment information of the preset process and the identifier corresponding to the version information of the behavior record file into the file header of the behavior record file;
and according to the relative change of the attribute corresponding value of the current API and the attribute corresponding to the previous API and the storage type of the parameter corresponding to the parameter value of the current API, writing the data of the current API called by the preset process into an API record of the behavior record file after encoding the data of the current API.
3. The analysis method according to claim 2, wherein writing the identifier corresponding to the running environment information of the preset process and the version information of the behavior record file into the header of the behavior record file includes:
writing the identification of the behavior record file into the zone bit of the file head;
writing the identification corresponding to the file version adopted by the behavior record file into the file version information of the file header;
writing an identifier corresponding to system architecture information adopted by the running environment of the preset process into a target architecture of the file header;
and writing an identifier corresponding to the version information of the system supported by the running environment of the preset process into the system version of the file header.
4. The analysis method according to claim 2, wherein writing the data of the current API called by the preset process into the API record of the behavior record file after encoding the data of the current API according to the relative change of the attribute corresponding value of the current API and the previous API and the storage type of the parameter corresponding to the parameter of the current API includes:
writing the type of the current API and whether the calling time of the current API is the same as that of the previous API or not, wherein the API mark information of the API record of the current API;
writing the time difference between the current API and the previous API into the API reference information of the API record of the current API;
and writing the parameters of the current strip API into the API parameters of the API record of the current strip API according to the storage type corresponding to the parameters of the current strip API.
5. The analysis method according to claim 4, wherein writing the type of the current API and the same time as the calling time of the previous API, the API flag information of the API record of the current API, comprises:
if the current API is different from the process PID or the thread TID of the previous API, when the length of the PID or the TID value is more than 16 bits, writing 1 into the PID & TID bit of the API mark information, otherwise writing 0 into the PID & TID bit;
If the PID of the current API is the same as that of the previous API, writing 1 into the PID flag bit of the API flag information, otherwise writing 0 into the PID flag bit;
if the TID of the current API is the same as that of the previous API, writing 1 into the TID zone bit of the API zone information, otherwise writing 0 into the TID zone bit;
writing a storage space occupied by the time difference between the current API and the previous API into a time stamp zone bit of the API zone information, wherein the time stamp zone bit occupies 2 binary bits;
writing the architecture mode supported by the system where the preset process is located into the sub-architecture flag bit of the API flag information, wherein 0 represents a default mode and 1 represents a compatible mode;
and if the API ID of the current API is the same as that of the previous API, writing 1 into the API flag bit of the API flag information, otherwise writing 0 into the API flag bit.
6. The analysis method of claim 4, wherein writing the API reference information of the API record of the current strip API with the time difference between the current strip API and the previous strip API being called, comprises:
writing the time difference between the current API and the previous API to the time stamp data value of the API reference information;
If the PID values of the current API and the previous API are the same, the PID data value of the API reference information is null, otherwise, the PID value of the current API is written into the PID data value;
if the TID value of the current API is the same as that of the previous API, the TID data value of the API reference information is null, otherwise, the TID value of the current API is written into the TID data value;
and if the API ID value of the current API is the same as that of the previous API, the PID data value of the API reference information is null, otherwise, the API ID value of the current API is written into the API ID data value.
7. The analysis method according to claim 4, wherein writing the parameters of the current strip API into the API parameters of the API record of the current strip API according to the storage type corresponding to the parameters of the current strip API, comprises:
if the parameters of the current API are parameters with storage types, writing 0 into an API parameter storage type mark of the API parameters, otherwise writing 1 into the API parameter storage type mark;
and writing the parameter value of the current API into the API parameter ID value of the API parameter.
8. The method of analyzing as in claim 7, further comprising, if the parameters of the current API are parameters of a stored type:
If the parameter is the embedded storage type, writing 0 into an embedded or extended storage type flag bit of the API parameter;
and if the parameter is of an extended storage type, writing 1 into the embedded or extended storage type flag bit.
9. An apparatus for analyzing a process behavior, comprising:
the acquisition unit is used for acquiring monitoring data for monitoring a plurality of application program interface APIs called by a preset process;
the writing unit is used for coding the monitoring data corresponding to the current API to obtain an API record of calling the current API by the preset process according to the relative change of the attribute corresponding value of the current API and the attribute corresponding to the previous API, which are called by the preset process, in the multi-API and the storage type of the parameter value corresponding to the parameter of the current API, and writing the API record corresponding to the current API into a behavior record file; the API records comprise the API parameters and parameter types corresponding to the API parameters, the storage types corresponding to the different parameter types of the API parameters are different, and the lengths occupied by the values corresponding to the API parameters of the different storage types are different;
and the behavior analysis unit is used for reading and analyzing each API record from the behavior record file when the behavior analysis is carried out on the preset process, and carrying out statistical analysis on the process behavior of the preset process according to the analyzed API records to obtain a process behavior analysis result of the preset process.
10. An apparatus for analyzing a process behavior, comprising:
at least one processor, and
a memory coupled to the at least one processor;
wherein the memory stores instructions executable by the at least one processor, the at least one processor performing the method of any of claims 1-8 by executing the instructions stored by the memory.
11. A computer-readable storage medium, characterized by:
the computer readable storage medium stores computer instructions which, when run on a computer, cause the computer to perform the method of any of claims 1-8.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911379473.6A CN111143182B (en) | 2019-12-27 | 2019-12-27 | Analysis method, device and storage medium for process behavior |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201911379473.6A CN111143182B (en) | 2019-12-27 | 2019-12-27 | Analysis method, device and storage medium for process behavior |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN111143182A CN111143182A (en) | 2020-05-12 |
| CN111143182B true CN111143182B (en) | 2023-12-05 |
Family
ID=70521113
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201911379473.6A Active CN111143182B (en) | 2019-12-27 | 2019-12-27 | Analysis method, device and storage medium for process behavior |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111143182B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115098017B (en) * | 2022-05-12 | 2023-04-11 | 北京卡普拉科技有限公司 | Data processing method and device, electronic equipment and storage medium |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101178653A (en) * | 2007-12-03 | 2008-05-14 | 北京中星微电子有限公司 | Embedded system and method supporting various processor |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7392370B2 (en) * | 2004-01-14 | 2008-06-24 | International Business Machines Corporation | Method and apparatus for autonomically initiating measurement of secondary metrics based on hardware counter values for primary metrics |
| EP2845084A4 (en) * | 2012-05-04 | 2016-08-31 | Oblong Ind Inc | Cross-user hand tracking and shape recognition user interface |
| CN103164649B (en) * | 2013-02-18 | 2016-08-17 | 北京神州绿盟信息安全科技股份有限公司 | Process behavior analyzes method and system |
| CN103365702B (en) * | 2013-07-11 | 2017-02-08 | 中国科学院合肥物质科学研究院 | System and method for tracking process of lightweight virtual machine under IaaS cloud environment |
-
2019
- 2019-12-27 CN CN201911379473.6A patent/CN111143182B/en active Active
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101178653A (en) * | 2007-12-03 | 2008-05-14 | 北京中星微电子有限公司 | Embedded system and method supporting various processor |
Also Published As
| Publication number | Publication date |
|---|---|
| CN111143182A (en) | 2020-05-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107609350B (en) | Data processing method of second-generation sequencing data analysis platform | |
| CN109783161B (en) | Method and device for determining running information of application program in iOS system | |
| CN111770360B (en) | Method and system for marking whole flow of video manuscript collection, editing and auditing | |
| CN111143182B (en) | Analysis method, device and storage medium for process behavior | |
| CN109542341B (en) | Read-write IO monitoring method, device, terminal and computer readable storage medium | |
| CN106055643B (en) | continuous writing method for MXF file writing interruption | |
| CN113268427B (en) | Crash analysis method and system for binary program | |
| CN111552475B (en) | Method, method and system for compiling work load test file for aging test of semiconductor memory | |
| CN111026604B (en) | Log file analysis method and device | |
| CN112328298A (en) | Code library cutting method and device for mobile terminal | |
| CN111026736B (en) | Data blood margin management method and device and data blood margin analysis method and device | |
| CN109344083B (en) | Program debugging method, device and equipment and readable storage medium | |
| EP4137949A1 (en) | Method and system for managing life cycle iteration of test case, and medium | |
| CN110765493B (en) | File baseline defense method and device based on Linux pre-link and storage equipment | |
| CN110750375B (en) | Embedded equipment and abnormal information processing method thereof | |
| CN109660576B (en) | User data real-time migration method, storage medium, electronic device and system | |
| CN109508446B (en) | Log processing method and device | |
| CN112416811A (en) | Garbage recovery method based on data association degree, flash memory and device | |
| CN116933143B (en) | Flight parameter data classification method | |
| CN113031574B (en) | Equipment operation process reproduction method and system | |
| JPWO2020065778A1 (en) | Information processing equipment, control methods, and programs | |
| CN108563503A (en) | A kind of stream data recording method and data flow for program test records system | |
| CN112035482B (en) | Service table partitioning method and device | |
| CN103019740B (en) | A kind of method and device obtaining importing table and relocation table | |
| US10108528B2 (en) | High-performance processor instruction tracing |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information |
Address after: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant after: NSFOCUS Technologies Group Co.,Ltd. Applicant after: NSFOCUS TECHNOLOGIES Inc. Address before: 100089 Beijing city Haidian District Road No. 4 North wa Yitai three storey building Applicant before: NSFOCUS INFORMATION TECHNOLOGY Co.,Ltd. Applicant before: NSFOCUS TECHNOLOGIES Inc. |
|
| CB02 | Change of applicant information | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |