CN117234857A - Endophytic security architecture system and anomaly detection method - Google Patents
Endophytic security architecture system and anomaly detection method Download PDFInfo
- Publication number
- CN117234857A CN117234857A CN202311497031.8A CN202311497031A CN117234857A CN 117234857 A CN117234857 A CN 117234857A CN 202311497031 A CN202311497031 A CN 202311497031A CN 117234857 A CN117234857 A CN 117234857A
- Authority
- CN
- China
- Prior art keywords
- execution
- executable
- execution body
- arbitration
- service
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 13
- 238000000034 method Methods 0.000 claims abstract description 87
- 230000008569 process Effects 0.000 claims description 45
- 230000002159 abnormal effect Effects 0.000 claims description 28
- 238000012545 processing Methods 0.000 claims description 24
- 238000003860 storage Methods 0.000 claims description 19
- 238000004891 communication Methods 0.000 claims description 17
- 238000005520 cutting process Methods 0.000 claims description 16
- 238000012544 monitoring process Methods 0.000 claims description 14
- 230000004044 response Effects 0.000 claims description 12
- 230000005856 abnormality Effects 0.000 claims description 7
- 238000004088 simulation Methods 0.000 abstract description 14
- 238000006073 displacement reaction Methods 0.000 abstract 4
- 238000004590 computer program Methods 0.000 description 14
- 238000010586 diagram Methods 0.000 description 12
- 230000006870 function Effects 0.000 description 12
- 230000006872 improvement Effects 0.000 description 8
- 238000004140 cleaning Methods 0.000 description 6
- 238000005516 engineering process Methods 0.000 description 6
- 238000011161 development Methods 0.000 description 5
- 230000006978 adaptation Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 230000005540 biological transmission Effects 0.000 description 2
- 230000003247 decreasing effect Effects 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000004519 manufacturing process Methods 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 238000002113 ultrasound elastography Methods 0.000 description 2
- 239000011800 void material Substances 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 230000008878 coupling Effects 0.000 description 1
- 238000010168 coupling process Methods 0.000 description 1
- 238000005859 coupling reaction Methods 0.000 description 1
- 230000005055 memory storage Effects 0.000 description 1
- 229920001296 polysiloxane Polymers 0.000 description 1
- 230000000750 progressive effect Effects 0.000 description 1
- 239000010979 ruby Substances 0.000 description 1
- 229910001750 ruby Inorganic materials 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000001960 triggered effect Effects 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The specification discloses an endogenous security architecture system and an anomaly detection method. The endogenous security architecture system comprises: the method comprises the steps of obtaining a sample model, inputting the sample model into a simulation data generation module, generating simulation echo data corresponding to the sample model through the simulation data generation module, taking the simulation echo data as first simulation echo data, inputting the sample model into a simulation analysis module, determining a mechanical model of the sample model after the sample model receives preset pressure through the simulation analysis module, determining displacement variation of preset target points in the sample model, strain information and displacement information of the sample model according to the mechanical model, constructing a deformed sample model according to the displacement variation of the target points, generating simulation echo data corresponding to the deformed sample model through the simulation data generation module, taking the simulation echo data as second simulation echo data, and performing task execution according to the first simulation echo data, the second simulation echo data, the strain information and the displacement information.
Description
Technical Field
The present disclosure relates to the field of endogenous security technologies, and in particular, to an endogenous security architecture system and an anomaly detection method.
Background
With the development of computer technology, various types of network security matters continuously occur, and great losses are caused to enterprises and users, and in order to avoid the losses caused to the enterprises and users due to network security problems, systems employing an endogenous security architecture (such as systems including an endogenous security switch, an endogenous security gateway, an endogenous security network operating system, an endogenous security web server, etc.) are receiving widespread attention.
In general, the system of the endogenous security architecture may adopt a dynamic heterogeneous redundancy method to improve the security of the system, that is, by setting a plurality of execution bodies of the same type and being heterogeneous together to respond to a service request initiated by a user, a service execution result returned by each execution body is obtained, and then whether an abnormal execution body exists in each execution body may be determined by an arbitrator according to the consistency of the service execution result returned by each execution body, where the execution bodies of the different types may be execution bodies of different versions, for example: different versions of Redis servers.
However, due to the strong coupling between the resolver and the executable, that is, one resolver can only resolve the service execution result returned by one executable, that is, the mutually heterogeneous executable corresponds to different resolvers, so that the resolver cannot be multiplexed by multiple heterogeneous executives.
Therefore, how to improve the reusability of the resolver is a urgent problem to be solved.
Disclosure of Invention
The present disclosure provides an endophytic security architecture system and an anomaly detection method, so as to partially solve the above-mentioned problems in the prior art.
The technical scheme adopted in the specification is as follows:
the present specification provides an endogenous security architecture system comprising: an arbitration module and at least one executable, the arbitration module comprising: the system comprises a main arbitration process, an arbitration program library and at least one execution body interface library, wherein the execution body interface library corresponds to the execution bodies one by one;
the main cutting process is used for determining a cutting program matched with the type from all cutting programs contained in the cutting program library according to the type of each execution body as a target cutting program, performing bypass monitoring on the execution body through the target cutting program, and calling a service execution result acquisition interface provided in an execution body interface library corresponding to the execution body to acquire a service execution result of the execution body when the execution body is monitored to respond to a service request sent by a user to perform service execution, determining an abnormal execution body from all execution bodies according to a target service result corresponding to each execution body as a target service result corresponding to the execution body, and performing offline processing on the abnormal execution body;
The executing body is used for responding to the service request sent by the user and executing the service.
Optionally, the arbitration module includes: a resolver management module;
the main judging program is used for judging whether a resolver matched with the type of each executive body is established or not according to each executive body;
if not, creating an arbitrator matched with the type of the execution body by calling an arbitrator creation interface contained in the arbitrator management module, taking the arbitrator as an arbitrator corresponding to the execution body, calling an arbitrator operation interface contained in the arbitrator management module, and operating the arbitrator corresponding to the execution body so as to operate the target arbitrator through the arbitrator corresponding to the execution body, and performing bypass monitoring on the execution body.
Optionally, the arbitration module includes: an executable management module;
and the main cutting process is used for determining an execution body interface library corresponding to the online execution body through the execution body management module when the presence of the online execution body is monitored, calling an execution body adding interface provided in the execution body interface library corresponding to the online execution body, and initializing the online execution body.
Optionally, the main clipping process is configured to, for each executable, obtain, when the target clipping program monitors that the executable responds to a service request sent by a user and performs service execution, a mirror image of a service execution result returned by the executable in response to the service request sent by the user by calling a service execution result obtaining interface provided in an executable interface library corresponding to the executable.
Optionally, the main clipping process is configured to create an IO multiplexing listening list by using the target clipping program, and for each execution body, add a communication descriptor corresponding to the execution body to the IO multiplexing listening list, and bypass listening for each execution body through the IO multiplexing listening list.
Optionally, the main arbitration process is configured to determine, by using the target arbitration program, whether a target service result corresponding to each execution body meets a preset arbitration condition, where the arbitration condition includes: at least one of an up-right arbitration condition, an expiration arbitration condition and a queue full arbitration condition, wherein the up-right arbitration condition is used for judging whether each service execution result with the same serial number is acquired, the expiration arbitration condition is used for judging whether the storage time of the acquired service execution result in an execution body descriptor corresponding to the execution body meets a preset time threshold, and the queue full arbitration condition is used for judging whether the number of service execution results stored in a service execution result list in the execution body descriptor corresponding to the execution body reaches a preset number threshold;
If yes, determining an abnormal execution body from the execution bodies according to the target service result corresponding to each execution body.
Optionally, the master resolver process is configured to invoke a resolver creation interface included in the resolver management module to create a resolver descriptor to create a resolver, and the resolver descriptor includes: resolver identity information identification, resolver state information identification, resolver library handle, and executable descriptor list.
Optionally, the main clipping process is used for determining, for each execution body, a resolver corresponding to the type of the execution body as a target resolver;
storing the execution body descriptor of the execution body into an execution body descriptor list of the target resolver so as to run the target resolver program through the target resolver and perform bypass monitoring on the execution body.
Optionally, the main clipping process is configured to call an executable adding interface included in the executable management module, create an executable descriptor corresponding to an online executable, and perform initialization processing on the online executable, where the executable descriptor includes: the method comprises the steps of executing body identity information identification, executing body state information identification, executing body interface library handle, service execution result list, communication descriptors corresponding to the executing bodies and safety information of the executing bodies.
The present specification provides an anomaly detection method applied to an endogenous security architecture system comprising: an arbitration module and at least one executable, the arbitration module comprising: the method comprises the steps of a main arbitration process, an arbitration program library and at least one execution body interface library, wherein the execution body interface library corresponds to an execution body one by one, and the method comprises the following steps:
running the main cutting process to determine, for each executable, a cutting program matching the type from among the cutting programs contained in the cutting program library according to the type of the executable by the main cutting process as a target cutting program;
the target judging program is used for carrying out bypass monitoring on the executive body, and when the executive body is monitored to respond to a service request sent by a user and carry out service execution, a service execution result acquisition interface provided in an executive body interface library corresponding to the executive body is called to acquire a service execution result of the executive body, and the service execution result is used as a target service result corresponding to the executive body;
and according to the target business result corresponding to each executive body, carrying out abnormality detection on each executive body so as to determine an abnormal executive body from each executive body, and carrying out offline processing on the abnormal executive body.
The present specification provides a computer readable storage medium storing a computer program which when executed by a processor implements the above-described ultrasound elastography method.
The present specification provides an electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the above-described ultrasound elastography method when executing the program.
The above-mentioned at least one technical scheme that this specification adopted can reach following beneficial effect:
in the endophytic security architecture system provided in the present specification, the endophytic security architecture system includes: the system comprises an arbitration module and at least one execution body, wherein the arbitration module comprises: the system comprises a main arbitration process and an arbitration program library, wherein the main arbitration process is used for determining an arbitration program matched with the type of an execution body from all arbitration programs contained in the arbitration program library according to the type of the execution body as a target arbitration program, performing bypass monitoring on the execution body through the target arbitration program to acquire a service execution result returned by the execution body in response to a service request sent by a user, and determining an abnormal execution body from all execution bodies according to the target service result corresponding to each execution body, performing offline processing on the abnormal execution body, wherein the execution body is used for responding to the service request sent by the user and performing service execution.
According to the method, decoupling between the arbitrator and the executable can be achieved through the preset arbitrator library and the executable interface library, so that the main arbitrating process can determine the arbitrating program for arbitrating the business execution result of the executable for the executable according to the type of the executable and can acquire the program for operating the executable from the executable interface library corresponding to the executable for each executable, and the problem of adaptation between the executable and the arbitrating program is not needed to be considered when a researcher designs the arbitrating program and the related program of the executable, and therefore, the development cost of a system of an endogenous security architecture can be reduced while the reusability of the arbitrating program is improved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the specification, illustrate and explain the exemplary embodiments of the present specification and their description, are not intended to limit the specification unduly. In the drawings:
FIG. 1 is a schematic diagram of an endogenous security architecture system provided in the present specification;
FIG. 2 is a schematic illustration of an actuator provided in the present specification;
FIG. 3 is a schematic diagram of an input-output proxy module provided in the present specification;
fig. 4 is a flow chart of the abnormality detection method provided in the present specification;
fig. 5 is a schematic view of an electronic device corresponding to fig. 4 provided in the present specification.
Detailed Description
For the purposes of making the objects, technical solutions and advantages of the present specification more apparent, the technical solutions of the present specification will be clearly and completely described below with reference to specific embodiments of the present specification and corresponding drawings. It will be apparent that the described embodiments are only some, but not all, of the embodiments of the present specification. All other embodiments, which can be made by one of ordinary skill in the art without undue burden from the present disclosure, are intended to be within the scope of the present disclosure.
The following describes in detail the technical solutions provided by the embodiments of the present specification with reference to the accompanying drawings.
Fig. 1 is a schematic diagram of an endophytic security architecture system provided in the present specification.
As can be seen in connection with fig. 1, the endogenous security architecture system may include: the system comprises an arbitration module and at least one execution body, wherein the arbitration module can comprise: the system comprises a main arbitration process, an arbitration program library, an arbiter management module, an executable management module and an executable interface library, wherein each executable interface library corresponds to each executable one by one.
In an actual application scenario, the endophytic security architecture system may be an endophytic security switch system, an endophytic security gateway system, an endophytic security network operating system, an endophytic security web server, an endophytic security database system, etc., and the executing body may be determined according to the type of the endophytic security architecture system, for example: in the endogenous secure database system, the executable may be different versions of remote dictionary service (Remote Dictionary Server, dis) servers, or may be keydb, drangonflydb, godis database servers for responding to a database service request initiated by a user.
The Redis servers of different versions are heterogeneous executives, and the Redis servers of different versions and the database servers of keydb, drangonflydb, godis are heterogeneous executives.
For another example: in the endogenous secure Web system, the execution bodies may be Web servers or the like of different versions of heterogeneous execution bodies.
Further, the main processing unit may determine, for each preset executable, an executable interface library corresponding to the executable from preset executable interface libraries, and call an executable adding interface included in the executable management module to initialize the executable.
Specifically, the main clipping process may create an executable descriptor corresponding to the online executable by calling an executable adding interface included in the executable management module to initialize the online executable, where the executable descriptor includes: the method comprises the steps of executing body identity information identification, executing body state information identification, executing body interface library handle, service execution result list, communication descriptors corresponding to the executing bodies and safety information of the executing bodies.
The identity information of the executing body may be data of a character pointer type, the character pointer may point to a character string, and the actual meaning of the character string may be the name of the executing body.
The executable state information may be enumeration type data, and may be used to identify a current state of an executable, where the state of the executable may include: online, standby, cleaning, etc.
The executable interface library handle may be void type pointer data, may be assigned by a returned value of a dlopen function in a dlfcn library provided by linux, and may be used to open an executable interface library corresponding to the executable, where the executable interface library includes: an execution body adding interface, an execution body deleting interface, an execution body updating interface, an execution body cleaning interface, an execution restarting interface and the like.
The service execution result list may be a pointer array, where the size of the pointer array may be set according to actual requirements, for example: the pointer array is 3 in size, and is used for storing the structure body for execution, where the structure body pointer can point to the structure body storing the service execution result, where the structure body storing the service execution result includes the service execution result that needs to be arbitrated, and the serial number and the timestamp corresponding to the service execution result.
The communication descriptor corresponding to the executing body may be a structure pointer type, and points to an inter-process communication identification structure, where the inter-process communication identification structure may include: inter-process communication type, inter-process communication state, and inter-process communication socket descriptor. Among others, inter-process communication types may include: linux domain sockets, ip domain sockets, fast-forward and fast-forward pipelines (i.e., fifo), etc. The inter-process communication state may include to-be-created, etc.
The security information of the executing body may be of the int type, which is used to represent the security confidence of the executing body. The safety confidence level is set as an initial value after the execution body is initially on line or cleaned, and is increased or decreased in the process of arbitration, when the safety confidence level of the execution body is smaller than a preset threshold (for example, the preset threshold can be set as 0), the execution body can be off line through an execution body off line interface provided in an execution body interface library corresponding to the execution body, and the execution body can be cleaned through an execution body cleaning interface provided in an execution body interface library corresponding to the execution body.
Further, the main arbitration process may determine, for each executable, an arbitration program matching the type of the executable from among the arbitration programs included in the arbitration program library according to the type of the executable, as a target arbitration program, and arbitrate, by the target arbitration program, an execution result of the executable for performing service execution in response to a service request initiated by a user.
Specifically, the main clipping process may determine, for each executable, whether an arbiter matching the type of the executable has been created, and if so, may add an executable descriptor corresponding to the executable to an executable descriptor list corresponding to an arbiter matching the type of the executable, so as to arbitrate, by the arbiter matching the type of the executable, a service execution result returned by the executable in response to a service request initiated by a user.
If not, the resolver corresponding to the execution body is created by calling a resolver creation interface contained in the resolver management module, and is used as a resolver corresponding to the execution body, so that the execution body descriptor corresponding to the execution body is added into an execution body descriptor list corresponding to the resolver corresponding to the execution body, and a resolver operation interface contained in the resolver management module is called to operate the resolver corresponding to the execution body, so that the target resolver is operated through the resolver corresponding to the execution body, and bypass monitoring is carried out on the execution body.
The types of the executives may be as follows: an execution body in an endogenous security database system, an execution body in an endogenous security switch, an execution body in an endogenous security gateway, an execution body in an endogenous security network operating system, an execution body in an endogenous security web server, and the like.
For example: when the master arbitration process determines that the executable is an executable in an endogenous secure database system for responding to a user-initiated data processing service request, then an arbiter creation interface included in an arbiter management module may be invoked to create an arbiter that arbitrates the various executives for responding to the user-initiated data processing service request, and an arbitration program that arbitrates the various executives for responding to the user-initiated data processing service request may be determined from among the arbitration programs included in the arbitration program library in synchronization as a target arbitration program, and the target arbitration program may be run by the arbiter to arbitrate service execution results returned by the various executives for responding to the user-initiated data processing service request.
It should be noted that, the target arbitration programs may be stored in one arbitration program library, and of course, each target arbitration program may be stored in a different dynamic library.
In the foregoing, the method for creating a resolver by the master resolver process through a resolver creation interface included in the resolver management module may be that the master resolver process calls the resolver creation interface included in the resolver management module to create a resolver descriptor to create a resolver, where the resolver descriptor includes: resolver identity information identification, resolver state information identification, resolver library handle, and executable descriptor list.
Wherein the resolver identity information identification may be a character pointer type for pointing to a string that may be used to characterize the resolver name.
The resolver state information identifies a possible structure pointer (which may be effective to promote the scalability of the resolver using structure execution), where the structure pointer may point to a resolver state structure, where the resolver state structure may include: sequence number radix and sequence number-in-order state array.
The arbitration interface library handle may be a void type pointer variable that may be assigned by the returned value of the dlopen function in the dlfcn library provided by linux, which is used to invoke the target arbitration program.
The executable descriptor list may be a pointer array, where the pointer array is used to store pointers corresponding to executable descriptors that need to be arbitrated by the arbitrator, and is used to identify that the arbitrator needs to arbitrate service execution results returned by the executable corresponding to the executable descriptors.
From the above, it can be seen that the main arbitration process may arbitrate each execution body by adopting different arbitrators for different types of execution bodies, where each arbitrator may run in parallel.
Further, after the master resolver process creates the resolver, the resolver may be operated by calling a resolver operation interface provided by the resolver management module to operate the resolver so as to operate the target resolver by the resolver, so that an IO multiplexing interception list may be created by the target resolver, further, each executable needing bypass interception may be determined according to the executable descriptor list in the resolver descriptor corresponding to the resolver, and a communication corresponding to each executable needing bypass interception may be added to the created IO multiplexing interception list, so that bypass interception may be performed on each executable by the resolver.
It should be noted that, the main process of the clipping is to implement the functions of dynamic clipping and executable management by the linux shell and other modes during the operation of the clipping. Because the linux shell, etc. also operate as independent processes, inter-process communication with the resolver is also performed.
In an actual application scenario, when the arbiter runs the target arbitration program, for each executable in the executable descriptor list, while the server process of the executable runs, the monitor process preset in the executable monitors the server process of the executable, as shown in fig. 2.
Fig. 2 is a schematic diagram of an actuator provided in the present specification.
As can be seen from fig. 2, the executable may include a server process and a monitoring process, where the server process is configured to perform service execution in response to a service request initiated by a user, and the monitoring process is configured to monitor the server process, and when monitoring a service execution result returned by the executable in response to the service request initiated by the user, the service execution result of the executable may be obtained by calling a service execution result obtaining interface provided in an executable interface library corresponding to the executable, to obtain the service execution result of the executable, and use the service execution result as a target service result corresponding to the executable.
It should be noted that, in order to avoid affecting the normal operation of the service process of the execution body, the arbiter may obtain the mirror image of the service execution result returned by the execution body in response to the service request sent by the user by calling the service execution result obtaining interface provided in the execution body interface library corresponding to the execution body, save the mirror image of the obtained service execution result in the service execution result list, update the sequence number and the timestamp, and update the state information in the execution body descriptor and the arbiter descriptor, which may be understood as that, on the basis that the service execution result returned by the execution body in response to the service request sent by the user is not affected, the copy information of the service execution result returned by the execution body in response to the service request sent by the user is normally returned to the user.
In addition, for the client used by the user, the user may send the service request to the input/output proxy module through the client, so as to perform service execution through the input/output proxy module, as shown in fig. 3.
Fig. 3 is a schematic diagram of an input-output proxy module provided in the present specification.
As can be seen from fig. 3, after receiving the service request sent by the user, the input/output proxy module may determine each execution body from each execution body according to the type of the service request, and transmit the service request sent by the user to the part of execution bodies, so as to obtain the service execution result returned by the part of execution bodies in response to the service request sent by the user as a candidate service execution result, and determine, according to the consistency between the candidate service execution results, the service execution result finally returned to the client used by the user from the candidate service execution results.
Further, the arbiter may determine, through the target arbitration program, whether the target service result corresponding to the executing body meets a preset arbitration condition, where the arbitration condition includes: at least one of an up-right arbitration condition, an expiration arbitration condition and a queue full arbitration condition, wherein the up-right arbitration condition is used for judging whether all business execution results with the same serial number are acquired, the expiration arbitration condition is used for judging whether the storage time of the acquired business execution results in the corresponding execution body descriptors of the execution bodies meets a preset time threshold, and the queue full arbitration condition is used for judging whether the number of business execution results stored in a business execution result list in the corresponding execution body descriptors of the execution bodies reaches the preset number threshold.
Specifically, when the serial numbers corresponding to the service execution results returned in each execution body in response to the same service request initiated by the user are the same, the above-mentioned alignment decision may be to determine, for each serial number, whether each execution result corresponding to the serial number has been obtained, and if so, decide according to each execution result.
The above-mentioned expiration arbitration may be to determine whether the save time of the acquired service execution result in the service execution result list in the execution body descriptor corresponding to the execution body meets a preset time threshold, if yes, arbitration may be performed according to each execution result with the same acquired serial number.
For example: the service execution result with the serial number of 99 of the first executing body is obtained and stored in the service execution result list of the first executing body, but the service execution results with the serial numbers of 99 of the second executing body and the third executing body are not obtained, when the storage time of the service execution result with the serial number of 99 of the first executing body in the service execution result list of the first executing body reaches a preset time threshold, the judgment can be triggered, that is, the service execution results with the same serial numbers returned by other executing bodies can be directly considered to be null.
The queue full arbitration may be to determine whether the number of service execution results stored in the service execution result list in the execution body descriptor corresponding to the execution body reaches a preset number threshold, if so, sequentially obtain, for each service execution result stored in the service execution result list, other currently existing service execution results with the same serial number as the service execution result according to the first-in first-out principle, and arbitrate.
Further, the arbiter may determine, for each arbitration, an abnormal execution body from the execution bodies according to each service execution result involved in the arbitration, and perform the offline processing for the abnormal execution body.
The method for determining the abnormal execution body from the execution bodies by the arbitrator according to the execution results of the services may be to determine whether the execution results of the services are consistent, if so, consider that no abnormal execution body exists, and if not, consider that the execution body corresponding to the service execution result inconsistent with the plurality of service execution results is the abnormal execution body.
In addition, the arbiter may adjust the security confidence of the execution body corresponding to each service execution result (such as increasing the first specified value, decreasing the second specified value, keeping unchanged, etc.) according to each service execution result related to the current arbitration, and if the adjusted security confidence of the execution body is lower than the preset threshold, determine that the execution body is an abnormal execution body, and perform the offline processing on the abnormal execution body.
Further, the method of the arbiter performing the offline processing on the abnormal execution body may be to traverse an execution body descriptor table among the arbitration descriptors, locate an execution body descriptor to be offline based on the execution body identification information of the abnormal execution body, close an execution body interface library handle, remove a communication descriptor in the execution body descriptor to be offline from the IO multiplexing listening table of the arbiter, and log the abnormal execution body.
In addition, the arbiter may call an execution body cleaning interface and/or an execution restart interface provided in an execution body interface library corresponding to the abnormal execution body for the offline abnormal execution body, and perform cleaning or restarting processing on the execution body.
In addition, the arbiter may determine that at least one alternative execution body is on-line from preset alternative execution bodies after the abnormal execution body is off-line.
Further, when the main cutting process monitors that an online execution body exists, an execution body interface library corresponding to the online execution body can be determined through an execution body management module, an execution body adding interface provided in the execution body interface library corresponding to the online execution body is called, an execution body descriptor corresponding to the online execution body is created, initialization processing is carried out on the online execution body, and the created execution body descriptor corresponding to the online execution body is added into an execution body descriptor list of the arbitrator corresponding to the online execution body.
From the above, it can be seen that, for the resolver to be used, a developer can be made to add the resolver program designed according to the resolver logic of the resolver to the resolver program library of the resolver module, and for the executable to be used, the developer can be made to add the interfaces corresponding to the programs such as the on-line, off-line, update, cleaning, restarting, and service execution result acquisition of the executable to the executable interface library, so that the main resolver process can call the corresponding resolver program from the resolver program library according to the types of different executable by the resolver management module, and can call the corresponding functional interface from the executable interface library corresponding to each executable by the executable management module for each executable that is heterogeneous, so as to realize the adaptation between the resolver and the executable, and further, the development cost of the system of the endophytic security architecture can be reduced while the reusability of the resolver program is improved.
In order to describe the above endophytic security architecture system in detail, the present disclosure further provides a method for detecting an abnormality based on the above endophytic security architecture system, as shown in fig. 4.
Fig. 4 is a flow chart of the abnormality detection method provided in the present specification, including the following steps:
s401: and running the main cutting process to determine, by the main cutting process, for each execution body, a cutting program matched with the type from the cutting programs contained in the cutting program library according to the type of the execution body as a target cutting program.
S402: and performing bypass monitoring on the executive body through the target judging program, and acquiring a service execution result of the executive body as a target service result corresponding to the executive body by calling a service execution result acquisition interface provided in an executive body interface library corresponding to the executive body when the executive body is monitored to respond to a service request sent by a user to perform service execution.
S403: and according to the target business result corresponding to each executive body, carrying out abnormality detection on each executive body so as to determine an abnormal executive body from each executive body, and carrying out offline processing on the abnormal executive body.
From the above, it can be seen that, the resolver and the executable may be decoupled by using the preset resolver library and the executable interface library, so that the main resolver process may determine, for the executable, a resolver program for resolving the service execution result of the executable and may obtain, for each executable, a program for operating the executable from the executable interface library corresponding to the executable, and when designing the resolver program and the related program of the executable, the developer may not need to consider the problem of adaptation between the executable and the resolver program, thereby improving the reusability of the resolver program and reducing the development cost of the system with an endogenous security architecture.
The present specification also provides a computer-readable storage medium storing a computer program operable to perform an abnormality detection method as provided in fig. 4 above.
The present specification also provides a schematic structural diagram of an electronic device corresponding to fig. 4 shown in fig. 5. At the hardware level, the electronic device includes a processor, an internal bus, a network interface, a memory, and a non-volatile storage, as illustrated in fig. 5, although other hardware required by other services may be included. The processor reads the corresponding computer program from the nonvolatile memory into the memory and then runs the computer program to realize the ultrasonic elasticity simulation method described in the above figure 1. Of course, other implementations, such as logic devices or combinations of hardware and software, are not excluded from the present description, that is, the execution subject of the following processing flows is not limited to each logic unit, but may be hardware or logic devices.
Improvements to one technology can clearly distinguish between improvements in hardware (e.g., improvements to circuit structures such as diodes, transistors, switches, etc.) and software (improvements to the process flow). However, with the development of technology, many improvements of the current method flows can be regarded as direct improvements of hardware circuit structures. Designers almost always obtain corresponding hardware circuit structures by programming improved method flows into hardware circuits. Therefore, an improvement of a method flow cannot be said to be realized by a hardware entity module. For example, a programmable logic device (Programmable Logic Device, PLD) (e.g., field programmable gate array (Field Programmable Gate Array, FPGA)) is an integrated circuit whose logic function is determined by the programming of the device by a user. A designer programs to "integrate" a digital system onto a PLD without requiring the chip manufacturer to design and fabricate application-specific integrated circuit chips. Moreover, nowadays, instead of manually manufacturing integrated circuit chips, such programming is mostly implemented by using "logic compiler" software, which is similar to the software compiler used in program development and writing, and the original code before the compiling is also written in a specific programming language, which is called hardware description language (Hardware Description Language, HDL), but not just one of the hdds, but a plurality of kinds, such as ABEL (Advanced Boolean Expression Language), AHDL (Altera Hardware Description Language), confluence, CUPL (Cornell University Programming Language), HDCal, JHDL (Java Hardware Description Language), lava, lola, myHDL, PALASM, RHDL (Ruby Hardware Description Language), etc., VHDL (Very-High-Speed Integrated Circuit Hardware Description Language) and Verilog are currently most commonly used. It will also be apparent to those skilled in the art that a hardware circuit implementing the logic method flow can be readily obtained by merely slightly programming the method flow into an integrated circuit using several of the hardware description languages described above.
The controller may be implemented in any suitable manner, for example, the controller may take the form of, for example, a microprocessor or processor and a computer readable medium storing computer readable program code (e.g., software or firmware) executable by the (micro) processor, logic gates, switches, application specific integrated circuits (Application Specific Integrated Circuit, ASIC), programmable logic controllers, and embedded microcontrollers, examples of which include, but are not limited to, the following microcontrollers: ARC 625D, atmel AT91SAM, microchip PIC18F26K20, and Silicone Labs C8051F320, the memory controller may also be implemented as part of the control logic of the memory. Those skilled in the art will also appreciate that, in addition to implementing the controller in a pure computer readable program code, it is well possible to implement the same functionality by logically programming the method steps such that the controller is in the form of logic gates, switches, application specific integrated circuits, programmable logic controllers, embedded microcontrollers, etc. Such a controller may thus be regarded as a kind of hardware component, and means for performing various functions included therein may also be regarded as structures within the hardware component. Or even means for achieving the various functions may be regarded as either software modules implementing the methods or structures within hardware components.
The system, apparatus, module or unit set forth in the above embodiments may be implemented in particular by a computer chip or entity, or by a product having a certain function. One typical implementation is a computer. In particular, the computer may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
For convenience of description, the above devices are described as being functionally divided into various units, respectively. Of course, the functions of each element may be implemented in one or more software and/or hardware elements when implemented in the present specification.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The present description is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems) and computer program products according to embodiments of the specification. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
In one typical configuration, a computing device includes one or more processors (CPUs), input/output interfaces, network interfaces, and memory.
The memory may include volatile memory in a computer-readable medium, random Access Memory (RAM) and/or nonvolatile memory, such as Read Only Memory (ROM) or flash memory (flash RAM). Memory is an example of computer-readable media.
Computer readable media, including both non-transitory and non-transitory, removable and non-removable media, may implement information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of storage media for a computer include, but are not limited to, phase change memory (PRAM), static Random Access Memory (SRAM), dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), read Only Memory (ROM), electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium, which can be used to store information that can be accessed by a computing device. Computer-readable media, as defined herein, does not include transitory computer-readable media (transmission media), such as modulated data signals and carrier waves.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article or apparatus that comprises the element.
It will be appreciated by those skilled in the art that embodiments of the present description may be provided as a method, system, or computer program product. Accordingly, the present specification may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present description can take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
The description may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The specification may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
In this specification, each embodiment is described in a progressive manner, and identical and similar parts of each embodiment are all referred to each other, and each embodiment mainly describes differences from other embodiments. In particular, for system embodiments, since they are substantially similar to method embodiments, the description is relatively simple, as relevant to see a section of the description of method embodiments.
The foregoing is merely exemplary of the present disclosure and is not intended to limit the disclosure. Various modifications and alterations to this specification will become apparent to those skilled in the art. Any modifications, equivalent substitutions, improvements, or the like, which are within the spirit and principles of the present description, are intended to be included within the scope of the claims of the present description.
Claims (10)
1. An endogenous security architecture system, the endogenous security architecture system comprising: an arbitration module and at least one executable, the arbitration module comprising: the system comprises a main arbitration process, an arbitration program library and at least one execution body interface library, wherein the execution body interface library corresponds to the execution bodies one by one;
the main cutting process is used for determining a cutting program matched with the type from all cutting programs contained in the cutting program library according to the type of each execution body as a target cutting program, performing bypass monitoring on the execution body through the target cutting program, and calling a service execution result acquisition interface provided in an execution body interface library corresponding to the execution body to acquire a service execution result of the execution body when the execution body is monitored to respond to a service request sent by a user to perform service execution, determining an abnormal execution body from all execution bodies according to a target service result corresponding to each execution body as a target service result corresponding to the execution body, and performing offline processing on the abnormal execution body;
the executing body is used for responding to the service request sent by the user and executing the service.
2. The endophytic security architecture system of claim 1, wherein the arbitration module comprises: a resolver management module;
the main judging program is used for judging whether a resolver matched with the type of each executive body is established or not according to each executive body;
if not, creating an arbitrator matched with the type of the execution body by calling an arbitrator creation interface contained in the arbitrator management module, taking the arbitrator as an arbitrator corresponding to the execution body, calling an arbitrator operation interface contained in the arbitrator management module, and operating the arbitrator corresponding to the execution body so as to operate the target arbitrator through the arbitrator corresponding to the execution body, and performing bypass monitoring on the execution body.
3. The endophytic security architecture system of claim 1, wherein the arbitration module comprises: an executable management module;
and the main cutting process is used for determining an execution body interface library corresponding to the online execution body through the execution body management module when the presence of the online execution body is monitored, calling an execution body adding interface provided in the execution body interface library corresponding to the online execution body, and initializing the online execution body.
4. The endophytic security architecture system of claim 1, wherein the main arbitration process is configured to, for each executable, obtain, when the target arbitration program monitors that the executable responds to a service request sent by a user and performs service execution, a mirror image of a service execution result returned by the executable in response to the service request sent by the user by calling a service execution result obtaining interface provided in an executable interface library corresponding to the executable.
5. The endophytic security architecture system of claim 1, wherein the master arbitration process is configured to create an IO multiplexing snoop list by the target arbitration program, and for each execution body, add a communication descriptor corresponding to the execution body to the IO multiplexing snoop list, and bypass snooping for each execution body by the IO multiplexing snoop list.
6. The endophytic security architecture system of claim 1, wherein the main arbitration process is configured to determine, for each executable, by the target arbitration program, whether a target service result corresponding to the executable meets a preset arbitration condition, where the arbitration condition includes: at least one of an up-right arbitration condition, an expiration arbitration condition and a queue full arbitration condition, wherein the up-right arbitration condition is used for judging whether each service execution result with the same serial number is acquired, the expiration arbitration condition is used for judging whether the storage time of the acquired service execution result in an execution body descriptor corresponding to the execution body meets a preset time threshold, and the queue full arbitration condition is used for judging whether the number of service execution results stored in a service execution result list in the execution body descriptor corresponding to the execution body reaches a preset number threshold;
If yes, determining an abnormal execution body from the execution bodies according to the target service result corresponding to each execution body.
7. The endogenous security architecture system of claim 2 wherein the master arbitration process is to invoke an arbiter creation interface included in the arbiter management module to create an arbiter descriptor to create an arbiter, the arbiter descriptor comprising: resolver identity information identification, resolver state information identification, resolver library handle, and executable descriptor list.
8. The endophytic security architecture system of claim 7, wherein the master arbitration process is configured to determine, for each executable, a resolver corresponding to the type of the executable as a target resolver;
storing the execution body descriptor of the execution body into an execution body descriptor list of the target resolver so as to run the target resolver program through the target resolver and perform bypass monitoring on the execution body.
9. The endophytic security architecture system of claim 3, wherein the main clipping process is configured to call an executable add interface included in the executable management module, create an executable descriptor corresponding to an online executable, and perform initialization processing on the online executable, and the executable descriptor includes: the method comprises the steps of executing body identity information identification, executing body state information identification, executing body interface library handle, service execution result list, communication descriptors corresponding to the executing bodies and safety information of the executing bodies.
10. An anomaly detection method, wherein the method is applied to an endogenous security architecture system, the endogenous security architecture system comprising: an arbitration module and at least one executable, the arbitration module comprising: the method comprises the steps of a main arbitration process, an arbitration program library and at least one execution body interface library, wherein the execution body interface library corresponds to an execution body one by one, and the method comprises the following steps:
running the main cutting process to determine, for each executable, a cutting program matching the type from among the cutting programs contained in the cutting program library according to the type of the executable by the main cutting process as a target cutting program;
the target judging program is used for carrying out bypass monitoring on the executive body, and when the executive body is monitored to respond to a service request sent by a user and carry out service execution, a service execution result acquisition interface provided in an executive body interface library corresponding to the executive body is called to acquire a service execution result of the executive body, and the service execution result is used as a target service result corresponding to the executive body;
and according to the target business result corresponding to each executive body, carrying out abnormality detection on each executive body so as to determine an abnormal executive body from each executive body, and carrying out offline processing on the abnormal executive body.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311497031.8A CN117234857B (en) | 2023-11-10 | 2023-11-10 | Endophytic security architecture system and anomaly detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202311497031.8A CN117234857B (en) | 2023-11-10 | 2023-11-10 | Endophytic security architecture system and anomaly detection method |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN117234857A true CN117234857A (en) | 2023-12-15 |
| CN117234857B CN117234857B (en) | 2024-01-26 |
Family
ID=89093150
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202311497031.8A Active CN117234857B (en) | 2023-11-10 | 2023-11-10 | Endophytic security architecture system and anomaly detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117234857B (en) |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117828957A (en) * | 2024-03-05 | 2024-04-05 | 之江实验室 | Ultrasonic elastic simulation method and device, storage medium and electronic equipment |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100076744A1 (en) * | 2008-09-23 | 2010-03-25 | Sun Microsystems, Inc. | Scsi device emulation in user space facilitating storage virtualization |
| CN112242923A (en) * | 2020-09-15 | 2021-01-19 | 中国人民解放军战略支援部队信息工程大学 | System and method for realizing unified data management network function based on mimicry defense |
| CN112702205A (en) * | 2020-12-24 | 2021-04-23 | 中国人民解放军战略支援部队信息工程大学 | Method and system for monitoring status of executive under mimicry DHR architecture |
| WO2021179449A1 (en) * | 2020-03-09 | 2021-09-16 | 南京红阵网络安全技术研究院有限公司 | Mimic defense system based on certificate identity authentication, and certificate issuing method |
| CN114398683A (en) * | 2022-03-24 | 2022-04-26 | 之江实验室 | Endogenous safety database storage method and device based on heterogeneous subsystem |
| CN116048977A (en) * | 2022-12-30 | 2023-05-02 | 支付宝(杭州)信息技术有限公司 | Test method and device based on data reduction |
| WO2023093184A1 (en) * | 2022-06-22 | 2023-06-01 | 之江实验室 | Input and output proxy method and apparatus for mimic redis database |
| CN116471116A (en) * | 2023-05-15 | 2023-07-21 | 嵩山实验室 | Endophytic security cloud platform and construction method |
| CN116865990A (en) * | 2023-05-17 | 2023-10-10 | 中国人民解放军战略支援部队信息工程大学 | Endogenous security T-Box system and business processing method thereof |
-
2023
- 2023-11-10 CN CN202311497031.8A patent/CN117234857B/en active Active
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20100076744A1 (en) * | 2008-09-23 | 2010-03-25 | Sun Microsystems, Inc. | Scsi device emulation in user space facilitating storage virtualization |
| WO2021179449A1 (en) * | 2020-03-09 | 2021-09-16 | 南京红阵网络安全技术研究院有限公司 | Mimic defense system based on certificate identity authentication, and certificate issuing method |
| CN112242923A (en) * | 2020-09-15 | 2021-01-19 | 中国人民解放军战略支援部队信息工程大学 | System and method for realizing unified data management network function based on mimicry defense |
| CN112702205A (en) * | 2020-12-24 | 2021-04-23 | 中国人民解放军战略支援部队信息工程大学 | Method and system for monitoring status of executive under mimicry DHR architecture |
| CN114398683A (en) * | 2022-03-24 | 2022-04-26 | 之江实验室 | Endogenous safety database storage method and device based on heterogeneous subsystem |
| WO2023093184A1 (en) * | 2022-06-22 | 2023-06-01 | 之江实验室 | Input and output proxy method and apparatus for mimic redis database |
| CN116048977A (en) * | 2022-12-30 | 2023-05-02 | 支付宝(杭州)信息技术有限公司 | Test method and device based on data reduction |
| CN116471116A (en) * | 2023-05-15 | 2023-07-21 | 嵩山实验室 | Endophytic security cloud platform and construction method |
| CN116865990A (en) * | 2023-05-17 | 2023-10-10 | 中国人民解放军战略支援部队信息工程大学 | Endogenous security T-Box system and business processing method thereof |
Non-Patent Citations (2)
| Title |
|---|
| KLODJAN KLODI HIDRI, ANGELOS BILAS, CHRISTOS KOZANITIS等: "HetSpark: A Framework that Provides Heterogeneous Executors to Apache Spark", 《PROCEDIA COMPUTER SCIENCE》, pages 118 - 127 * |
| 班绍桓;韩英杰;樊永文;周清雷;: "基于拟态防御的QR码信息加密架构", 小型微型计算机系统, no. 04, pages 673 - 678 * |
Cited By (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN117828957A (en) * | 2024-03-05 | 2024-04-05 | 之江实验室 | Ultrasonic elastic simulation method and device, storage medium and electronic equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN117234857B (en) | 2024-01-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN106133698B (en) | Framework for user-mode crash reporting | |
| CN117234857B (en) | Endophytic security architecture system and anomaly detection method | |
| EP2659371B1 (en) | Predicting, diagnosing, and recovering from application failures based on resource access patterns | |
| Bressoud | TFT: A software system for application-transparent fault tolerance | |
| CN108628688B (en) | Message processing method, device and equipment | |
| WO2017165151A1 (en) | Operating system layering | |
| GB2520808A (en) | Process control systems and methods | |
| US9183065B1 (en) | Providing access to an application programming interface through a named pipe | |
| CN110297955B (en) | Information query method, device, equipment and medium | |
| CN117075930B (en) | Computing framework management system | |
| CN111459724B (en) | Node switching method, device, equipment and computer readable storage medium | |
| WO2021164368A1 (en) | Container application starting method, system, and apparatus, and electronic device | |
| CN110245166B (en) | Data checking method and device | |
| WO2023046010A1 (en) | Parameter configuration method and apparatus for tracking device of steamvr system | |
| US11379468B1 (en) | Control flow graph refining via execution data | |
| WO2011067056A1 (en) | Automatic detection of stress condition | |
| CN111339117B (en) | Data processing method, device and equipment | |
| CN100492299C (en) | Embedded software developing method and system | |
| US8762776B2 (en) | Recovering from a thread hang | |
| CN116743550B (en) | Processing method of fault storage nodes of distributed storage cluster | |
| CN111046430B (en) | Data processing method and device, storage medium and electronic equipment | |
| CN117041980B (en) | Network element management method and device, storage medium and electronic equipment | |
| CN117032739B (en) | Mirror image generation method, system, storage medium and electronic equipment | |
| CN115510927B (en) | Fault detection method, device and equipment | |
| CN110908792A (en) | Data processing method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |