CN114490264A - File monitoring method and device of application system, electronic equipment and storage medium - Google Patents

File monitoring method and device of application system, electronic equipment and storage medium Download PDF

Info

Publication number
CN114490264A
CN114490264A CN202210109643.4A CN202210109643A CN114490264A CN 114490264 A CN114490264 A CN 114490264A CN 202210109643 A CN202210109643 A CN 202210109643A CN 114490264 A CN114490264 A CN 114490264A
Authority
CN
China
Prior art keywords
operation information
abnormal
file
current
information base
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210109643.4A
Other languages
Chinese (zh)
Inventor
吴鸿霖
旷亚和
叶红
姜城
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Industrial and Commercial Bank of China Ltd ICBC
Original Assignee
Industrial and Commercial Bank of China Ltd ICBC
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Industrial and Commercial Bank of China Ltd ICBC filed Critical Industrial and Commercial Bank of China Ltd ICBC
Priority to CN202210109643.4A priority Critical patent/CN114490264A/en
Publication of CN114490264A publication Critical patent/CN114490264A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/40Transformation of program code
    • G06F8/41Compilation
    • G06F8/44Encoding
    • G06F8/447Target code generation
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/70Software maintenance or management
    • G06F8/72Code refactoring

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Software Systems (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Quality & Reliability (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Debugging And Monitoring (AREA)

Abstract

The disclosure provides a file monitoring method and device of an application system, electronic equipment and a storage medium, which can be applied to the field of artificial intelligence, finance or other fields. The method comprises the following steps: inserting the monitoring code into at least one application code of the application system in an instrumentation mode; determining operation information related to the business operation of the application system according to the monitoring code; and comparing the operation information with information in an operation information base corresponding to the business operation, determining abnormal operation information in the operation information, and automatically intercepting the corresponding business operation according to at least one abnormal operation information.

Description

File monitoring method and device of application system, electronic equipment and storage medium
Technical Field
The present disclosure relates to the field of computer security technologies, and in particular, to a method and an apparatus for monitoring a file of an application system, an electronic device, and a readable storage medium.
Background
With the development of internet technology, security of the system becomes particularly important. After the system is connected with the internet, how to adopt a more effective technical means to monitor and treat internet application attack behaviors in real time is a topic which is widely concerned. Among internet application attack means, attack means involving file operation such as illegal uploading, reading and writing, file deletion and the like are particularly great in harm, so that not only can network assets be leaked and lost, but also a server where the network assets are located can be uploaded to a webshell by a hacker, and the server is controlled by the hacker to become an entry point for intranet penetration of the hacker.
In the related art, for example, file operation conditions are monitored through logs, monitoring personnel are generally required to manually inspect a large number of logs and check attack behaviors one by one, and due to the fact that normal services related to file operation are more, the method is often low in efficiency and cannot block attacks in real time; in the way of traffic monitoring, the monitoring may be disabled due to traffic encryption. And these peripheral monitoring means cannot go deep into the application, and also cannot judge whether the file includes malicious content in real time, which often results in that the monitoring software cannot well distinguish normal service from attack requests, resulting in asset leakage in the system and attack by malicious file operation requests.
Disclosure of Invention
In view of the foregoing, the present disclosure provides a method, an apparatus, an electronic device, a readable storage medium, and a computer program product for monitoring a file of an application system, which can effectively implement file monitoring of the application system and improve security of the application system.
According to a first aspect of the present disclosure, there is provided a file monitoring method for an application system, including: inserting a monitoring code into at least one application code of the application system in an instrumentation mode; determining operation information related to the service operation of the application system according to the monitoring code; and comparing the operation information with information in an operation information base corresponding to the business operation, determining abnormal operation information in the operation information, and automatically intercepting the corresponding business operation according to at least one abnormal operation information.
In some exemplary embodiments of the present disclosure, before comparing the operation information with information in an operation information base corresponding to the business operation, the method further includes constructing the operation information base, where the operation information base includes a normal operation information base and an abnormal operation information base; the constructing of the operation information base comprises the following steps: acquiring normal business operation corresponding to the application system, and generating a normal operation information base; and obtaining abnormal business operation fed back by the application system and/or input by a user, and generating an abnormal operation information base.
In some exemplary embodiments of the present disclosure, the operation information includes an operation file; the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes: transcoding the operation file to generate a source code of the operation file, comparing the source code with the type source code of the operation file to generate a first comparison result; comparing the type and/or the size of the operation file with the type and/or the size of the operation file in the normal operation information base to generate a second comparison result; and when at least one of the first comparison result and the second comparison result is abnormal, determining that the operation file is abnormal operation information.
In some exemplary embodiments of the present disclosure, the operation information further includes a current operation path; the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes: and comparing the current operation path with an operation path in an operation information base corresponding to the current business operation, and if the current operation path is not consistent with the operation path in the normal operation information base and/or the current operation path is consistent with the operation path in the abnormal operation information base, determining that the current operation path is abnormal operation information.
In some exemplary embodiments of the present disclosure, the operation information further includes a current operation action; the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes: and comparing the current operation action with the operation action in the operation information base corresponding to the current business operation, and if the current operation action is inconsistent with the operation action in the normal operation information base and/or the current operation action is consistent with the operation action in the abnormal operation information base, determining that the current operation action is abnormal operation information.
In some exemplary embodiments of the present disclosure, the operation information further includes a current operation time; the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes: and comparing the current operation time with the range of the operation time in the operation information base corresponding to the current business operation, and if the current operation time is greater than the operation time in the normal operation information base and/or the current operation time meets the operation time in the abnormal operation information base, determining that the current operation time is abnormal operation information.
In some exemplary embodiments of the present disclosure, the automatically intercepting the corresponding business operation according to at least one piece of abnormal operation information includes: generating an attack method record of the service operation according to the abnormal operation information; and acquiring a preset interception processing method to intercept the service operation according to the specific content corresponding to each abnormal operation information.
In some exemplary embodiments of the present disclosure, after performing automatic interception processing according to the service operation corresponding to at least one piece of abnormal operation information, the method further includes: and analyzing and processing the result of the automatic interception processing to generate a monitoring result.
According to a second aspect of the present disclosure, there is provided a file monitoring apparatus of an application system, including: the monitoring code inserting module is configured to insert monitoring codes into at least one application code of the application system in an instrumentation mode; the operation information determining module is configured to determine operation information related to the service operation of the application system according to the monitoring code; and the automatic interception module is configured to compare the operation information with information in an operation information base corresponding to the business operation, determine abnormal operation information in the operation information, and automatically intercept the corresponding business operation according to at least one abnormal operation information.
In some exemplary embodiments of the present disclosure, the file monitoring apparatus further includes an information base construction module, where the information base construction module is configured to construct the operation information base before comparing the operation information with information in an operation information base corresponding to the business operation. The operation information base comprises a normal operation information base and an abnormal operation information base.
In some exemplary embodiments of the present disclosure, the information base construction module includes a first construction submodule and a second construction submodule. The first construction submodule is configured to acquire normal business operation corresponding to the application system and generate a normal operation information base; and the second construction submodule is configured to acquire abnormal business operation fed back by the application system and/or input by a user and generate an abnormal operation information base.
In some exemplary embodiments of the present disclosure, the automatic interception module includes a first sub-module. The operation information comprises an operation file; the first sub-module is configured to transcode the operation file to generate a source code of the operation file, compare the source code with a type source code of the operation file, and generate a first comparison result; comparing the type and/or the size of the operation file with the type and/or the size of the operation file in the normal operation information base to generate a second comparison result; and when at least one of the first comparison result and the second comparison result is abnormal, determining that the operation file is abnormal operation information.
In some exemplary embodiments of the present disclosure, the automatic interception module includes a second sub-module. The operation information further includes a current operation path. The second sub-module is configured to compare the current operation path with an operation path in an operation information base corresponding to the current business operation, and determine that the current operation path is abnormal operation information if the current operation path is inconsistent with the operation path in the normal operation information base and/or the current operation path is consistent with the operation path in the abnormal operation information base.
In some exemplary embodiments of the present disclosure, the automatic interception module includes a third sub-module. The operation information further includes a current operation action. And the third sub-module is configured to compare the current operation action with an operation action in an operation information base corresponding to the current business operation, and if the current operation action is inconsistent with the operation action in the normal operation information base and/or the current operation action is consistent with the operation action in the abnormal operation information base, determining that the current operation action is abnormal operation information.
In some exemplary embodiments of the present disclosure, the automatic interception module includes a fourth sub-module. The operation information also includes a current operation time. And the fourth sub-module is configured to compare the current operation time with an operation time range in an operation information base corresponding to the current business operation, and determine that the current operation time is abnormal operation information if the current operation time is greater than the operation time in the normal operation information base and/or the current operation time meets the operation time in the abnormal operation information base.
In some exemplary embodiments of the present disclosure, the automatic interception module includes a fifth sub-module. The fifth submodule is configured to: generating an attack method record of the service operation according to the abnormal operation information; and acquiring a preset interception processing method to intercept the service operation according to the specific content corresponding to each abnormal operation information.
In some exemplary embodiments of the present disclosure, the file monitoring apparatus further includes a monitoring result generation module. And the monitoring result generation module is configured to analyze and process the result of automatic interception processing after the automatic interception processing is performed on the business operation corresponding to the at least one abnormal operation information, so as to generate a monitoring result.
According to a third aspect of the present disclosure, there is provided an electronic device comprising: one or more processors; a storage device for storing executable instructions that, when executed by the processor, implement the method according to the above.
According to a fourth aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement a method according to the above.
According to a fifth aspect of the present disclosure, a computer program product is provided, comprising a computer program which, when executed by a processor, implements the method according to the above.
According to the embodiment of the disclosure, the monitoring code is inserted into the application code of the application system in a pile insertion mode, so that the business operation of the application system is monitored, the information corresponding to the business operation in the business operation information base is compared, so that the business operation is intercepted according to the abnormal operation information, the monitoring efficiency can be improved, the monitoring accuracy can be improved, and the error interception can be effectively reduced by the method of comparing the abnormal operation information base with the business operation information base.
Drawings
The foregoing and other objects, features and advantages of the disclosure will be apparent from the following description of embodiments of the disclosure, which proceeds with reference to the accompanying drawings, in which:
fig. 1 schematically shows a schematic diagram of a system architecture to which a file monitoring method of an application system of an embodiment of the present disclosure can be applied;
FIG. 2 schematically illustrates a flow chart of a document monitoring method according to an embodiment of the disclosure;
fig. 3 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure before operation S230;
FIG. 4 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is an operation file;
FIG. 5 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is a current operation path;
FIG. 6 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is a current operation action;
FIG. 7 schematically illustrates a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is a current operation time;
FIG. 8 schematically illustrates a flow diagram of a file monitoring method in performing automatic interception processing according to an embodiment of the present disclosure;
FIG. 9 schematically illustrates a flow diagram of a document monitoring method after an automatic intercept process, according to an embodiment of the disclosure;
FIG. 10 schematically shows a block diagram of a document monitoring apparatus according to an embodiment of the present disclosure; and
FIG. 11 schematically shows a block diagram of an electronic device suitable for implementing a document monitoring method according to an embodiment of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is illustrative only and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. Moreover, in the following description, descriptions of well-known structures and techniques are omitted so as to not unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art to which this invention belongs, unless otherwise defined. It is noted that the terms used herein should be interpreted as having a meaning that is consistent with the context of this specification and should not be interpreted in an idealized or overly formal sense.
Where a convention analogous to "at least one of A, B and C, etc." is used, in general such a construction is intended in the sense one having skill in the art would understand the convention (e.g., "a system having at least one of A, B and C" would include but not be limited to systems that have a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In the technical scheme of the disclosure, the acquisition, storage, application and the like of the personal information of the related user all accord with the regulations of related laws and regulations, necessary security measures are taken, and the customs of the public order is not violated.
In order to solve the problem that malicious content received by a system cannot be rapidly and effectively monitored in the related art, the disclosure provides a file monitoring method and device for an application system file, an electronic device, a readable storage medium and a computer program product. The file monitoring method comprises but is not limited to the following steps: inserting the monitoring code into at least one application code of the application system in an instrumentation mode; determining operation information related to the business operation of the application system according to the monitoring code; and comparing the operation information with information in an operation information base corresponding to the business operation, determining abnormal operation information in the operation information, and automatically intercepting the corresponding business operation according to at least one abnormal operation information.
According to the embodiment of the disclosure, the monitoring code is inserted into the application code of the application system in a pile inserting mode, so that the business operation of the application system is monitored, the information corresponding to the business operation in the business operation information base is compared, so that the business operation is automatically intercepted according to the abnormal operation information, the monitoring efficiency can be improved, the monitoring accuracy can be improved, and the error interception can be effectively reduced.
Fig. 1 schematically shows a schematic diagram of a system architecture to which the file monitoring method of the application system of the embodiment of the present disclosure can be applied. It should be noted that fig. 1 is only an example of a system architecture to which the embodiments of the present disclosure may be applied to help those skilled in the art understand the technical content of the present disclosure, and does not mean that the embodiments of the present disclosure may not be applied to other devices, systems, environments or scenarios. It should be noted that the method and apparatus for monitoring the file of the application system provided by the embodiment of the present disclosure may be used in the technical field of computer security, the related aspects of computer security in the financial field, and may also be used in any fields other than the financial field.
As shown in fig. 1, an exemplary system architecture 100 to which the file monitoring method may be applied may include terminal devices 101, 102, 103, a network 104, and a server 105. The network 104 serves as a medium for providing communication links between the terminal devices 101, 102, 103 and the server 105. Network 104 may include various connection types, such as wired, wireless communication links, or fiber optic cables, to name a few.
The user may use the terminal devices 101, 102, 103 to interact with the server 105 via the network 104 to receive or send messages or the like. The terminal devices 101, 102, 103 may have installed thereon various communication client applications, such as a file handling type application, a shopping type application, a web browser application, a search type application, an instant messaging tool, a mailbox client, social platform software, etc. (by way of example only).
The terminal devices 101, 102, 103 may be various electronic devices having display screens and supporting functions of data analysis, data processing, web browsing, etc., including but not limited to smart phones, tablet computers, laptop portable computers, desktop computers, etc.
The server 105 may be a server that provides various services, such as a background management server (for example only) that provides support for data acquired by the user using the terminal devices 101, 102, 103 or websites browsed. The background management server may analyze and perform other processing on the received data such as the user request, and feed back a processing result (e.g., a webpage, information, or data obtained or generated according to the user request) to the terminal device. The file or the like transmitted by the user may be analyzed or processed, and the terminal device may be controlled based on the processing result, for example, access of the terminal device may be restricted.
It should be noted that the file monitoring method of the application system provided by the embodiment of the present disclosure may be generally executed by the server 105. Accordingly, the file monitoring apparatus of the application system provided by the embodiment of the present disclosure may be generally disposed in the server 105. The file monitoring method of the application system provided by the embodiment of the present disclosure may also be executed by a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105. Correspondingly, the file monitoring device of the application system provided by the embodiment of the present disclosure may also be disposed in a server or a server cluster that is different from the server 105 and is capable of communicating with the terminal devices 101, 102, 103 and/or the server 105.
It should be understood that the number of terminal devices, networks, and servers in fig. 1 is merely illustrative. There may be any number of terminal devices, networks, and servers, as desired for implementation.
The file monitoring method of the application system of the disclosed embodiment will be described in detail below with reference to fig. 2 to 9.
FIG. 2 schematically shows a flow chart of a document monitoring method according to an embodiment of the disclosure.
As shown in fig. 2, the flow 200 of the file monitoring method of the present disclosure includes operations S210 to S230.
In operation S210, monitoring code is inserted into at least one application code of the application system in an instrumented manner.
For example, monitoring code is inserted into an application of an application system by an agent in an instrumented manner, wherein the agent is independent of other programs outside the application. Specifically, the monitoring code may be inserted into the application code of the application program, but the function and structure of the code of the original application program are not changed. In this embodiment, the inserted monitoring code may be inserted into one application code, or may be inserted into multiple application codes, so as to implement monitoring on the application program of the application system.
In the embodiment of the disclosure, instrumentation is to insert a probe into an application program to be monitored, and then control flow and data flow information of the program is obtained through the execution of the probe, so as to monitor the application program and related files of the application system.
After the monitoring code is inserted into at least one application code of the application system, operation S220 is performed.
In operation S220, operation information related to the business operation of the application system is determined according to the monitoring code.
The monitoring code can acquire the contents of control flow, data flow information and the like of the program, so that the operation information of the business operation design of the application system can be tracked.
For example, the operation information may include an operation file, a current operation path, a current operation action, a current operation time, and the like. Based on the obtained operation information, the operation information can be analyzed in subsequent operations, and the content corresponding to the service operation of the reference system can be obtained.
According to the monitoring code, for example, information such as the type of an operation file executed by the business operation, the size of the operation file and the like can be determined. For another example, a current operation path of the business operation, a path of moving a file corresponding to the business operation, or a path of moving a file from another location, etc. may be determined. For example, a current operational action of the business operation may be determined, including copying, modifying, etc. the file. For another example, the current operation time of the business operation, etc., including the time taken by the corresponding business operation, etc., may be determined.
After the operation information related to the business operation is determined, operation S230 is performed.
In operation S230, the operation information is compared with information in an operation information base corresponding to the service operation, abnormal operation information in the operation information is determined, and the service operation corresponding to at least one abnormal operation information is automatically intercepted.
In the embodiment of the disclosure, after the operation information is acquired, the acquired operation information is compared with information in the corresponding operation information base, so as to determine whether the operation information belongs to abnormal operation information.
And if the operation information is determined to be abnormal operation information, automatically intercepting the corresponding business operation according to the determined abnormal operation information. In the embodiment of the disclosure, when at least one piece of operation information corresponding to the business operation is determined to be abnormal operation information, automatic interception processing is performed, so that the accuracy of the file monitoring method can be improved.
In other optional embodiments, adjustment may also be performed according to actual situations to meet the requirements of different application systems for file monitoring.
Fig. 3 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure before operation S230.
In the embodiment of the present disclosure, before comparing the operation information with the information in the operation information base corresponding to the business operation, the file monitoring method of the present disclosure further includes constructing an operation information base.
The operation information base comprises a normal operation information base and an abnormal operation information base.
As shown in fig. 3, the process 300 of constructing the operation information base includes operations S310 and S320.
In operation S310, a normal service operation corresponding to the application system is obtained, and a normal operation information base is generated.
In the embodiment of the disclosure, the application system has corresponding operation information when performing normal business operation. For example, the file format of the normal service operation is a specific format, for example, when a picture file is opened, the format of the picture file is a jpg format file. For example, when a text file is opened, the format of the text file is txt, word format file, or the like.
For another example, when the operation information corresponds to an operation path, when opening some files is performed, the files may be stored under a specific path. For example, when a word file is opened, a temporary file is generated and stored in a predetermined folder.
For example, when the operation information corresponds to an operation, a temporary file may be generated when some file is opened, or an operation such as copying a file may not be generated when opening a file.
For another example, when the operation information corresponds to the operation time, when some files are opened, the time during which the files are opened has a certain length range, and in this length range, normal operation is indicated. For example, it takes 1 to 3 seconds to open a word document as a normal operation. When the time to open a word document exceeds the implementation, it may be considered an operational anomaly.
In the embodiment of the disclosure, the normal operation information base is generated by acquiring the operation information corresponding to the normal service operation. If the operation information acquired in operation S220 corresponds to the operation information of the business operation in the trip operation information base, it may be determined that the operation information acquired in operation S220 is normal operation information.
In operation S320, an abnormal service operation fed back by the application system and/or input by the user is obtained, and an abnormal operation information base is generated.
In the embodiment of the disclosure, during the running process of the application system, abnormal business operation may exist. Therefore, the application system may regard some service operations as abnormal operations in a preset manner, and when the service operations of the application system execute the preset manner, the application system feeds back the abnormal operation information, thereby generating an abnormal operation information base. In addition, except for the application system automatically feeding back the abnormal operation information, the abnormal operation information base can be perfected and strengthened in a user input mode, so that more abnormal operation information is included, comparison in the subsequent process is facilitated, and the accuracy of the file monitoring method is further improved.
According to the embodiment of the disclosure, by generating the normal operation information base and the abnormal operation information base, the efficiency and the accuracy of the file monitoring method in automatically intercepting the business operation corresponding to the abnormal operation information can be effectively improved. In addition, the abnormal operation information base can be perfected in a user input mode, so that the abnormal operation information base is continuously updated, the abnormal operation information base can be kept updated all the time, and the defense force of an application system is further improved.
Fig. 4 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is an operation file.
As shown in fig. 4, when the operation information asks the operation file, the process 400 of comparing the operation information with the information in the operation information base corresponding to the business operation and determining the abnormal operation information in the operation information includes operations S410 to S430.
In operation S410, the operation file is transcoded to generate a source code of the operation file, and the source code is compared with the type source code of the operation file to generate a first comparison result.
In the embodiment of the disclosure, the type source codes of the operation files are included in the operation information base, and each type of file has the type source code corresponding to the type source code.
For example, a picture type file has the type source code, and a word document has the type source code corresponding to the document.
After the operation file is obtained, transcoding the operation file to obtain a source code of the operation file, and comparing the source code with a type source code of the operation file to generate a first comparison result.
Whether the operation file is the operation file of the corresponding type or not is determined by transcoding and comparing the source code of the operation file with the type source code, so that an attacker can be effectively prevented from avoiding monitoring of an application system by modifying the suffix name of the operation file.
In the embodiment of the disclosure, if the source code of the operation file obtained after transcoding the operation file is consistent with the type source code of the operation file, the operation file is determined to be consistent, and the first comparison result is normal. And if the source code of the operation file obtained after transcoding is inconsistent with the type source code of the operation file, determining that the first comparison result is abnormal.
In operation S420, the type and/or size of the operation file is compared with the type and/or size of the operation file in the normal operation information base, so as to generate a second comparison result.
In the embodiment of the disclosure, the type of the operation file is compared with the type of the operation file in the operation information base. For example, in the file generation operation process of the application system, if the generated operation file is a txt file, the type of the generated txt file is compared with the type of the operation file in the operation information base, and if the generated file is also the txt file for the same file generation operation in the operation information base, the operation file of the business operation is determined to be the same as the type of the operation file of the business operation in the operation information base, and the second comparison result is normal. And if the operation file type corresponding to the same business operation is not consistent with the type of the operation file in the operation information base, the generated second comparison result is abnormal.
In the embodiment of the present disclosure, the size of the operation file corresponding to the same service operation needs to be compared with the size of the operation file in the operation information base, and if the size of the operation file exceeds a preset threshold, a second comparison result is generated to be abnormal.
For example, when the type of the operation file is an executable script file and contains malicious content, a significant abnormality may occur in the type or size of the file, for example, the file type is inconsistent with the type in the normal operation information base, or the file size is inconsistent with the size in the normal operation information base, and then the file is determined as abnormal operation information.
According to the embodiment of the disclosure, the source code of the operation file is obtained by transcoding the operation file and is compared with the source code of the same type, so that an attacker can be prevented from avoiding monitoring only by modifying the suffix of the operation file. Secondly, by further comparing the types and sizes of the operation files, abnormal operation information is more accurately screened, the accuracy of the file monitoring method can be effectively improved, and the capability of an application system for resisting abnormal operation attacks is improved.
In operation S430, when at least one of the first comparison result and the second comparison result is abnormal, it is determined that the operation file is abnormal operation information.
In the embodiment of the present disclosure, the abnormal operation information can be effectively checked through operation S430, and further, the service operation in the application system is automatically intercepted according to the abnormal operation information, so that the accuracy of automatic interception is improved.
Fig. 5 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is a current operation path.
As shown in fig. 5, in an embodiment of the present disclosure, the operation information further includes a current operation path. The process 500 of comparing the operation information with the information in the operation information base corresponding to the service operation to determine the abnormal operation information in the operation information further includes operations S510 to S520.
In operation S510, the current operation path is compared with an operation path in an operation information base corresponding to the current business operation.
In the embodiment of the disclosure, when performing the service operation, the normal service operation has the same service operation path, and the current operation path of the abnormal service operation is different from the normal service operation path, so that the abnormal operation information can be screened out by comparing the operation paths.
In operation S520, if the current operation path is not consistent with the operation path in the normal operation information base and/or the current operation path is consistent with the operation path in the abnormal operation information base, it is determined that the current operation path is the abnormal operation information.
In the embodiment of the disclosure, in the comparison process, comparing the current operation path with the operation in the operation information base corresponding to the current service operation includes comparing with a normal operation information base and comparing with an abnormal operation information base.
And if the current operation path is not consistent with the operation path in the normal operation information base, indicating that the current operation path is abnormal operation information. In addition, if the current operation path is consistent with the operation path in the abnormal operation information base, the current operation path is also indicated as abnormal operation information. When the abnormal operation information is determined, if one comparison process in the comparison determines that the current operation path is the abnormal operation information, the business operation corresponding to the abnormal operation information is automatically intercepted.
According to the embodiment of the disclosure, the accuracy of the acquired abnormal operation information can be improved by comparing the abnormal operation information with the normal operation information base and comparing the abnormal operation information with the abnormal operation information base. In addition, the abnormal operation information base is updated in real time through a user and has more accurate data, so that the acquired abnormal operation information is more accurate, and the reliability is higher.
In an optional embodiment of the present disclosure, if the current operation path is not consistent with the operation path in the normal operation information base, and the current operation path is not consistent with the operation path in the abnormal operation information base, the operation information may be sent to the user for manual review, so as to reduce misjudgment of the application system, and improve efficiency.
Fig. 6 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is a current operation action.
As shown in fig. 6, in the embodiment of the present disclosure, the operation information further includes a current operation action, and the process 600 of determining abnormal operation information in the operation information by comparing the operation information with information in the operation information base corresponding to the business operation includes operations S610 to S620.
In operation S610, the current operation action is compared with the operation actions in the operation information base corresponding to the current business operation.
In the embodiment of the present disclosure, the business operation corresponds to having different operation actions, for example, an action of reading a file, or an action of writing a file. Different operational actions, which present different risks, for example reading system appellation files like etc. or reading application profiles like we. Therefore, the efficiency of determining the abnormal operation information is improved by comparing the current operation action with the operation actions in the operation information base.
In operation S620, if the current operation action is not consistent with the operation actions in the normal operation information base and/or the current operation action is consistent with the operation actions in the abnormal operation information base, it is determined that the current operation action is the abnormal operation information.
In the embodiment of the present disclosure, the comparison process includes comparison with a normal operation information base and comparison with an abnormal operation information base.
For example, if the current operation action is not consistent with the operation action in the normal operation information base, it indicates that the current operation path is the abnormal operation information. In addition, if the current operation action is consistent with the operation action in the abnormal operation information base, the current operation action is also indicated as abnormal operation information. When the abnormal operation information is determined, if one comparison process in the comparison determines that the current operation is the abnormal operation information, the business operation corresponding to the abnormal operation information is automatically intercepted.
Fig. 7 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure when the operation information is the current operation time.
As shown in fig. 7, in an embodiment of the present disclosure, the operation information further includes a current operation time.
The process 700 of comparing the operation information with the information in the operation information base corresponding to the business operation and determining the abnormal operation information in the operation information includes operations S710 to S720.
In operation S710, the current operation time is compared with the operation time range in the operation information base corresponding to the current service operation.
For example, since it takes a certain time to process a file or the like at the time of a business operation, the operation time can be a factor for determining whether or not business operation information is abnormal. For example, in the same business operation, if the operation time difference in the file processing process is not large, it may be considered as normal operation information, and if the difference in the cao group time in the file processing process is large, it may be considered as abnormal operation information.
In operation S720, if the current operation time is greater than the operation time in the normal operation information base and/or the current operation time satisfies the operation time in the abnormal operation information base, it is determined that the current operation time is the abnormal operation information.
According to the embodiment of the disclosure, the information such as the current operation path, the current operation action, the current operation time and the like in the operation information is respectively compared with the normal operation information base and the abnormal operation information base, so that the accuracy of determining the abnormal operation information is improved, the misjudgment of an application system is reduced, and the efficiency is improved.
Fig. 8 schematically shows a flowchart of a file monitoring method according to an embodiment of the present disclosure in performing automatic interception processing.
As shown in fig. 8, performing automatic interception processing on a service operation corresponding to at least one abnormal operation information includes operations S810 to S820.
In operation S810, an attack method record of the service operation is generated according to the abnormal operation information.
In the embodiment of the present disclosure, after determining the abnormal operation information, an attack method record corresponding to the abnormal operation information is generated according to the content of the abnormal operation information. For example, the attack method record corresponding to the inconsistency of the operation file types, the attack method record corresponding to the inconsistency of the operation paths, or the attack method record corresponding to the inconsistency of the operation actions.
In addition, if the record of the attack method is not recorded in the abnormal operation information base, the abnormal operation information base is updated according to the abnormal operation information, so that the abnormal operation information base is perfected.
In operation S820, a preset interception processing method is obtained to intercept the service operation according to the specific content corresponding to each abnormal operation information.
In the embodiment of the disclosure, a preset interception processing method is provided for different abnormal operation information. For example, when the abnormal operation information is the current operation, file interception processing is executed, and the operation such as reading and writing of a file is stopped. For example, when the abnormal operation information is the current operation path, the access to the specific path may be blocked, and operations such as access flow, log recording, IP blocking, and the like may be blocked.
Due to the fact that the abnormal operation information is different, different interception processing methods are adopted to intercept the service operation, and therefore the efficiency of interception processing can be effectively improved.
FIG. 9 schematically shows a flow diagram of a document monitoring method after an automatic interception process according to an embodiment of the disclosure.
As shown in fig. 9, after operation S230, operation S240 is further included.
In operation S240, the result of the automatic interception process is analyzed to generate a monitoring result.
For example, the abnormal operation information obtained by each monitoring is recorded and stored, and the abnormal operation information is classified and counted, for example, the attack type, the file, whether the automatic interception is blocked, the time consumed by the automatic interception, and the like, which are related to the abnormal operation information, so that the user can conveniently query, analyze, trace the source, and the like, of the monitoring result. In addition, the monitoring result can be sent to a corresponding display device, so that the monitoring result can be conveniently viewed by a user in real time, for example, sent to a front-end web interface and the like.
According to the embodiment of the disclosure, the monitoring code is inserted into the application code of the application system in a pile inserting mode, so that the business operation of the application system is monitored, the information corresponding to the business operation in the business operation information base is compared, so that the business operation is automatically intercepted according to the abnormal operation information, the monitoring efficiency can be improved, the monitoring accuracy can be improved, and the error interception can be effectively reduced.
Fig. 10 schematically shows a block diagram of the structure of a document monitoring apparatus according to an embodiment of the present disclosure.
As shown in fig. 10, the document monitoring apparatus 1000 according to the embodiment of the present disclosure includes a monitoring code insertion module 1010, an operation information determination module 1020, and an automatic interception module 1030.
A monitoring code insertion module 1010 configured to insert monitoring code into at least one application code of an application system in an instrumented manner. In an embodiment, the monitoring code inserting module 1010 may be configured to perform the operation S210 described above, which is not described herein again.
An operation information determining module 1020 configured to determine operation information related to a business operation of the application system according to the monitoring code. In an embodiment, the operation information determining module 1020 may be configured to perform the operation S220 described above, which is not described herein again.
The automatic interception module 1030 is configured to compare the operation information with information in an operation information base corresponding to the service operation, determine abnormal operation information in the operation information, and perform automatic interception processing on the corresponding service operation according to at least one piece of abnormal operation information. In an embodiment, the automatic interception module 1030 may be configured to perform the operation S230 described above, which is not described herein again.
In an embodiment of the present disclosure, the file monitoring apparatus 1000 further includes an information base building module, where the information base building module is configured to build an operation information base before comparing the operation information with information in the operation information base corresponding to the business operation. The operation information base comprises a normal operation information base and an abnormal operation information base.
The information base construction module comprises a first construction submodule and a second construction submodule. The first construction submodule is configured to obtain normal business operation corresponding to the application system and generate a normal operation information base.
And the second construction submodule is configured to acquire abnormal business operation fed back by the application system and/or input by a user and generate an abnormal operation information base.
In an embodiment of the present disclosure, the automatic interception module includes a first sub-module. The operation information comprises an operation file; the first submodule is configured to transcode the operation file to generate a source code of the operation file, compare the source code with the type source code of the operation file, and generate a first comparison result; comparing the type and/or the size of the operation file with the type and/or the size of the operation file in the normal operation information base to generate a second comparison result; and when at least one of the first comparison result and the second comparison result is abnormal, determining the operation file as abnormal operation information.
In an embodiment of the present disclosure, the automatic interception module includes a second sub-module. The operation information also includes a current operation path. The second sub-module is configured to compare the current operation path with an operation path in an operation information base corresponding to the current business operation, and if the current operation path is inconsistent with the operation path in the normal operation information base and/or the current operation path is consistent with the operation path in the abnormal operation information base, the current operation path is determined to be abnormal operation information.
In an embodiment of the present disclosure, the automatic interception module includes a third sub-module. The operation information also includes a current operation action. And the third sub-module is configured to compare the current operation action with the operation action in the operation information base corresponding to the current business operation, and if the current operation action is inconsistent with the operation action in the normal operation information base and/or the current operation action is consistent with the operation action in the abnormal operation information base, the current operation action is determined to be abnormal operation information.
In an embodiment of the present disclosure, the automatic interception module includes a fourth sub-module. The operation information also includes a current operation time. And the fourth sub-module is configured to compare the current operation time with the range of the operation time in the operation information base corresponding to the current business operation, and if the current operation time is greater than the operation time in the normal operation information base and/or the current operation time meets the operation time in the abnormal operation information base, the current operation time is determined to be abnormal operation information.
In an embodiment of the present disclosure, the automatic interception module includes a fifth sub-module. The fifth submodule is configured to: generating an attack method record of the service operation according to the abnormal operation information; and acquiring a preset interception processing method to intercept the service operation according to the specific content corresponding to each abnormal operation information.
In the embodiment of the present disclosure, the document monitoring apparatus 1000 further includes a monitoring result generating module. And the monitoring result generation module is configured to perform automatic interception processing on the result of the automatic interception processing after performing automatic interception processing on the business operation corresponding to the at least one abnormal operation information to generate a monitoring result.
According to the embodiment of the present disclosure, any plurality of the monitoring code insertion module 1010, the operation information determination module 1020, the automatic interception module 1030, the information base construction module, the first construction sub-module, the second construction sub-module, the first sub-module, the second sub-module, the third sub-module, the fourth sub-module, the fifth sub-module, and the monitoring result generation module may be combined and implemented in one module, or any one of them may be split into a plurality of modules. Alternatively, at least part of the functionality of one or more of these modules may be combined with at least part of the functionality of the other modules and implemented in one module. According to the embodiment of the present disclosure, at least one of the monitoring code inserting module 1010, the operation information determining module 1020, the automatic intercepting module 1030, the information base constructing module, the first constructing sub-module, the second constructing sub-module, the first sub-module, the second sub-module, the third sub-module, the fourth sub-module, the fifth sub-module, and the monitoring result generating module may be at least partially implemented as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented by hardware or firmware such as any other reasonable manner of integrating or packaging a circuit, or implemented by any one of three implementation manners of software, hardware, and firmware, or by a suitable combination of any of them. Alternatively, at least one of the monitoring code insertion module 1010, the operation information determination module 1020, the automatic interception module 1030, the information base construction module, the first construction sub-module, the second construction sub-module, the first sub-module, the second sub-module, the third sub-module, the fourth sub-module, the fifth sub-module, and the monitoring result generation module may be at least partially implemented as a computer program module that may perform a corresponding function when being executed.
FIG. 11 schematically shows a block diagram of an electronic device suitable for implementing a document monitoring method according to an embodiment of the present disclosure. The electronic device shown in fig. 11 is only an example, and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 11, an electronic device 1100 according to an embodiment of the present disclosure includes a processor 1101, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM)1102 or a program loaded from a storage section 1108 into a Random Access Memory (RAM) 1103. The processor 1101 may comprise, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or associated chipset, and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 1101 may also include on-board memory for caching purposes. The processor 1101 may comprise a single processing unit or a plurality of processing units for performing the different actions of the method flows according to the embodiments of the present disclosure.
In the RAM 1103, various programs and data necessary for the operation of the electronic device 1100 are stored. The processor 1101, the ROM 1102, and the RAM 1103 are connected to each other by a bus 1104. The processor 1101 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM 1102 and/or the RAM 1103. It is noted that the programs may also be stored in one or more memories other than the ROM 1102 and RAM 1103. The processor 1101 may also perform various operations of the method flows according to the embodiments of the present disclosure by executing programs stored in the one or more memories.
Electronic device 1100 may also include input/output (I/O) interface 1105, input/output (I/O) interface 1105 also connected to bus 1104, according to an embodiment of the disclosure. Electronic device 1100 may also include one or more of the following components connected to I/O interface 1105: an input portion 1106 including a keyboard, mouse, and the like; an output portion 1107 including a signal such as a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker; a storage section 1108 including a hard disk and the like; and a communication section 1109 including a network interface card such as a LAN card, a modem, or the like. The communication section 1109 performs communication processing via a network such as the internet. A driver 1110 is also connected to the I/O interface 1105 as necessary. A removable medium 1111 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 1110 as necessary, so that a computer program read out therefrom is mounted into the storage section 1108 as necessary.
The present disclosure also provides a computer-readable storage medium, which may be contained in the apparatus/device/system described in the above embodiments; or may exist separately and not be assembled into the device/apparatus/system. The computer-readable storage medium carries one or more programs which, when executed, implement a file monitoring method according to an embodiment of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium, which may include, for example but is not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the present disclosure, a computer readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. For example, according to embodiments of the present disclosure, a computer-readable storage medium may include the ROM 1102 and/or the RAM 1103 and/or one or more memories other than the ROM 1102 and the RAM 1103 described above.
Embodiments of the present disclosure also include a computer program product comprising a computer program containing program code for performing the method illustrated in the flow chart. When the computer program product runs in a computer system, the program code is used for causing the computer system to realize the file monitoring method provided by the embodiment of the disclosure.
The computer program performs the above-described functions defined in the system/apparatus of the embodiments of the present disclosure when executed by the processor 1101. The systems, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In one embodiment, the computer program may be hosted on a tangible storage medium such as an optical storage device, a magnetic storage device, or the like. In another embodiment, the computer program may also be transmitted in the form of a signal on a network medium, distributed, downloaded and installed via the communication part 1109, and/or installed from the removable medium 1111. The computer program containing program code may be transmitted using any suitable network medium, including but not limited to: wireless, wired, etc., or any suitable combination of the foregoing.
In such an embodiment, the computer program may be downloaded and installed from a network through the communication portion 1109 and/or installed from the removable medium 1111. The computer program, when executed by the processor 1101, performs the above-described functions defined in the system of the embodiment of the present disclosure. The systems, devices, apparatuses, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the present disclosure.
In accordance with embodiments of the present disclosure, program code for executing computer programs provided by embodiments of the present disclosure may be written in any combination of one or more programming languages, and in particular, these computer programs may be implemented using high level procedural and/or object oriented programming languages, and/or assembly/machine languages. The programming language includes, but is not limited to, programming languages such as Java, C + +, python, the "C" language, or the like. The program code may execute entirely on the user computing device, partly on the user device, partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
The flowchart and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions.
Those skilled in the art will appreciate that various combinations and/or combinations of features recited in the various embodiments and/or claims of the present disclosure can be made, even if such combinations or combinations are not expressly recited in the present disclosure. In particular, various combinations and/or combinations of the features recited in the various embodiments and/or claims of the present disclosure may be made without departing from the spirit or teaching of the present disclosure. All such combinations and/or associations are within the scope of the present disclosure.
The embodiments of the present disclosure have been described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described separately above, this does not mean that the measures in the embodiments cannot be used in advantageous combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be devised by those skilled in the art without departing from the scope of the present disclosure, and such alternatives and modifications are intended to be within the scope of the present disclosure.

Claims (12)

1. A file monitoring method of an application system comprises the following steps:
inserting a monitoring code into at least one application code of the application system in an instrumentation mode;
determining operation information related to the service operation of the application system according to the monitoring code;
and comparing the operation information with information in an operation information base corresponding to the business operation, determining abnormal operation information in the operation information, and automatically intercepting the corresponding business operation according to at least one abnormal operation information.
2. The file monitoring method according to claim 1, wherein before comparing the operation information with information in an operation information base corresponding to the business operation, the method further comprises constructing the operation information base, the operation information base comprising a normal operation information base and an abnormal operation information base;
the constructing of the operation information base comprises the following steps:
acquiring normal business operation corresponding to the application system, and generating a normal operation information base;
and obtaining abnormal business operation fed back by the application system and/or input by a user, and generating an abnormal operation information base.
3. The file monitoring method according to claim 2, wherein the operation information includes an operation file;
the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes:
transcoding the operation file to generate a source code of the operation file, comparing the source code with the type source code of the operation file to generate a first comparison result; and
comparing the type and/or the size of the operation file with the type and/or the size of the operation file in the normal operation information base to generate a second comparison result;
and when at least one of the first comparison result and the second comparison result is abnormal, determining that the operation file is abnormal operation information.
4. The file monitoring method according to claim 3, wherein the operation information further includes a current operation path;
the comparing the operation information with information in an operation information base corresponding to the service operation, and determining abnormal operation information in the operation information includes:
comparing the current operation path with the operation path in the operation information base corresponding to the current business operation,
if the current operation path is not consistent with the operation path in the normal operation information base and/or the current operation path is consistent with the operation path in the abnormal operation information base,
determining that the current operation path is abnormal operation information.
5. A file monitoring method according to claim 3, wherein the operation information further includes a current operation action;
the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes:
comparing the current operation action with the operation action in the operation information base corresponding to the current business operation,
if the current operation action is not consistent with the operation action in the normal operation information base and/or the current operation action is consistent with the operation action in the abnormal operation information base,
determining that the current operation action is abnormal operation information.
6. The file monitoring method according to claim 3, wherein the operation information further includes a current operation time;
the comparing the operation information with information in an operation information base corresponding to the business operation, and determining abnormal operation information in the operation information includes:
comparing the current operation time with the range of the operation time in the operation information base corresponding to the current business operation,
if the current operation time is longer than the operation time in the normal operation information base and/or the current operation time meets the operation time in the abnormal operation information base,
determining the current operation time as abnormal operation information.
7. The file monitoring method according to any one of claims 1 to 6, wherein the automatically intercepting the corresponding business operation according to the at least one abnormal operation information includes:
generating an attack method record of the service operation according to the abnormal operation information;
and acquiring a preset interception processing method to intercept the service operation according to the specific content corresponding to each abnormal operation information.
8. The file monitoring method according to claim 1, wherein after performing automatic interception processing according to the business operation corresponding to the at least one abnormal operation information, the method further comprises:
and analyzing and processing the result of the automatic interception processing to generate a monitoring result.
9. A file monitoring apparatus of an application system, comprising:
the monitoring code inserting module is configured to insert monitoring codes into at least one application code of the application system in an instrumentation mode;
the operation information determining module is configured to determine operation information related to the business operation of the application system according to the monitoring code;
and the automatic interception module is configured to compare the operation information with information in an operation information base corresponding to the business operation, determine abnormal operation information in the operation information, and automatically intercept the corresponding business operation according to at least one abnormal operation information.
10. An electronic device, comprising:
one or more processors;
storage means for storing executable instructions that, when executed by the processor, implement the method of any one of claims 1 to 8.
11. A computer readable storage medium having stored thereon executable instructions which, when executed by a processor, implement the method of any one of claims 1 to 8.
12. A computer program product comprising a computer program which, when executed by a processor, implements the method according to any one of claims 1 to 8.
CN202210109643.4A 2022-01-28 2022-01-28 File monitoring method and device of application system, electronic equipment and storage medium Pending CN114490264A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210109643.4A CN114490264A (en) 2022-01-28 2022-01-28 File monitoring method and device of application system, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210109643.4A CN114490264A (en) 2022-01-28 2022-01-28 File monitoring method and device of application system, electronic equipment and storage medium

Publications (1)

Publication Number Publication Date
CN114490264A true CN114490264A (en) 2022-05-13

Family

ID=81478491

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210109643.4A Pending CN114490264A (en) 2022-01-28 2022-01-28 File monitoring method and device of application system, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114490264A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117743181A (en) * 2023-12-25 2024-03-22 杭州云掣科技有限公司 System for constructing observable control surface

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117743181A (en) * 2023-12-25 2024-03-22 杭州云掣科技有限公司 System for constructing observable control surface

Similar Documents

Publication Publication Date Title
US11593492B2 (en) Assessment and analysis of software security flaws
CN109716343B (en) Enterprise graphic method for threat detection
CN111914262A (en) Test method, device, system, electronic equipment and storage medium
US20130212682A1 (en) Automatic discovery of system integrity exposures in system code
CN114024764A (en) Monitoring method, monitoring system, equipment and storage medium for abnormal access of database
CN113114680B (en) Detection method and detection device for file uploading vulnerability
US11005877B2 (en) Persistent cross-site scripting vulnerability detection
CN114153703A (en) Micro-service exception positioning method and device, electronic equipment and program product
CN113362173A (en) Anti-duplication mechanism verification method, anti-duplication mechanism verification system, electronic equipment and storage medium
CN113162937A (en) Application safety automatic detection method, system, electronic equipment and storage medium
CN116450533B (en) Security detection method and device for application program, electronic equipment and medium
CN115378655A (en) Vulnerability detection method and device
CN114490264A (en) File monitoring method and device of application system, electronic equipment and storage medium
CN112966167A (en) Data crawling method, device, computer system and computer readable storage medium
CN116484436A (en) Webpage tampering monitoring method and device, electronic equipment and medium
CN115237738A (en) Remote operation record tracing method and device, electronic equipment and storage medium
CN114266547A (en) Method, device, equipment, medium and program product for identifying business processing strategy
CN113590425A (en) Data processing method, apparatus, device, medium, and program product
CN114254621A (en) Document auditing method and device, electronic equipment and storage medium
CN114676020A (en) Performance monitoring method and device of cache system, electronic equipment and storage medium
US20190332767A1 (en) Security module for mobile devices
CN116401174A (en) Code vulnerability detection method, device, equipment and storage medium
CN113535568A (en) Verification method, device, equipment and medium for application deployment version
CN114064484A (en) Interface testing method and device, electronic equipment and readable storage medium
CN117744043A (en) Code obfuscation method, apparatus, device, storage medium, and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination