CN118245333A - Abnormal behavior analysis method of Linux operating system and readable storage medium - Google Patents

Abnormal behavior analysis method of Linux operating system and readable storage medium Download PDF

Info

Publication number
CN118245333A
CN118245333A CN202410193369.2A CN202410193369A CN118245333A CN 118245333 A CN118245333 A CN 118245333A CN 202410193369 A CN202410193369 A CN 202410193369A CN 118245333 A CN118245333 A CN 118245333A
Authority
CN
China
Prior art keywords
alarm
information
server
control center
acquiring
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202410193369.2A
Other languages
Chinese (zh)
Inventor
滕旺
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Shanghai Chuang Frame Software Co ltd
Original Assignee
Shanghai Chuang Frame Software Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Shanghai Chuang Frame Software Co ltd filed Critical Shanghai Chuang Frame Software Co ltd
Priority to CN202410193369.2A priority Critical patent/CN118245333A/en
Publication of CN118245333A publication Critical patent/CN118245333A/en
Pending legal-status Critical Current

Links

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The invention discloses a Linux operating system abnormal behavior analysis method and a readable storage medium, comprising the following steps: and configuring an alarm strategy, deploying a script on the Linux server to acquire and send host state information to a control center, and realizing information registration. The script pulls the alarm strategy from the control center, and acquires and saves the system element information. The timing task is configured on the server, the latest information of the system elements is obtained periodically, the latest information is compared with the historical information to generate a difference report, the difference report is further matched with an alarm strategy to generate an alarm message, and the alarm message is sent to the log server and the control center to trigger an alarm. The design can quickly find and locate abnormal behaviors of the system, improves the stability and safety of the system, and improves the processing efficiency by adopting centralized management and analysis.

Description

Abnormal behavior analysis method of Linux operating system and readable storage medium
Technical Field
The invention relates to the technical field of system maintenance, in particular to a Linux operating system abnormal behavior analysis method and a readable storage medium.
Background
In the prior art, linux operating systems are widely used in various server environments due to their open source and flexibility. However, as the size and complexity of servers increases, how to accurately and efficiently detect and analyze abnormal behavior in servers becomes an important issue. Conventional approaches typically require manual inspection and analysis of large volumes of system logs and configuration files, which is not only inefficient, but also difficult to address problems in a large-scale server environment. Therefore, a new technique capable of automatically and efficiently analyzing abnormal behavior is required.
Disclosure of Invention
The invention aims to provide a Linux operating system abnormal behavior analysis method and a readable storage medium.
In a first aspect, an embodiment of the present invention provides a method for analyzing abnormal behavior of a Linux operating system, including:
Acquiring and registering host state and system element information of a Linux server, pulling an alarm strategy, and initializing a script;
configuring a timing task on a server, and acquiring system element information of a current Linux server at fixed time, wherein the system element information comprises a file state and a process;
Comparing the latest information with the historical information in the configuration file each time the system element information is acquired, and generating a difference report;
combining the difference report with an alarm strategy to generate an alarm message;
Transmitting the alarm message to a log server and a control center, and triggering an alarm;
The control center responds to the user operation to carry out the configuration and real-time issuing of the self-defined alarm strategy.
In one possible implementation manner, the acquiring and registering the host state and the system element information of the Linux server, pulling the alarm policy, and implementing the initialization of the script includes:
acquiring host state information of a server, wherein the host state information comprises a host name, IP (Internet protocol), an operating system and a kernel, and sending the host name, the IP, the operating system and the kernel to a control center to register host information;
The latest alarm strategy is pulled from the control center, so that the initialization of the local alarm strategy is realized;
And acquiring system element information of the current server, wherein the system element information comprises file states and processes, and the file states and the processes are stored in a local configuration file to initialize the system element information and the script.
In a possible implementation manner, the configuring a timing task on the server, and acquiring system element information of the current Linux server at fixed time, where the system element information includes file states and processes, includes:
Setting a crontab timing task, and acquiring system element information of the Linux server at fixed time;
acquiring SSH key information, wherein the SSH key information comprises a user name, a storage file, a remote host IP, key content and an addition date;
Acquiring planning task configuration information, including a user name, task content and trigger conditions;
Acquiring network connection information, including protocol type, remote host IP and related processes;
Acquiring file state information, including a directory, a file name, rights, a file hash value and a modification date;
acquiring DNS query record information, including a queried domain name and response content of a DNS server;
Acquiring process information of a server, wherein the process information comprises a user name, a control terminal and command content;
And acquiring the software installation package information of the server, wherein the software installation package information comprises package names, version numbers and installation time.
In one possible implementation manner, each time the system element information is acquired, the latest information is compared with the historical information in the configuration file, and a difference report is generated, which includes:
comparing SSH key information, including the increase and decrease of the key and the change of the corresponding attribute of each record;
comparing the configuration information of the planning task, including the increase and decrease of the planning task and the change of the corresponding attribute of each record;
Comparing network connection information, including increase or decrease of network connection and change of corresponding attribute;
comparing file state information, including directory, increase and decrease of files and change of corresponding attributes;
comparing the DNS query record information, including the number of the newly added query records and the corresponding content;
Comparing the process information of the server, including increase and decrease of the processes and change of the corresponding attributes of each process;
comparing software installation package information of the server, wherein the software installation package information comprises the increase and decrease of software packages and the change of each software package version;
and summarizing the changes of the system elements of the server into a difference report.
In one possible implementation, the combining the discrepancy report with the alert policy generates an alert message, including:
Based on the difference report, determining the content of the alarm, the time for triggering the alarm and the alarm severity level by combining the alarm strategy;
screening the content needing to be alarmed according to the alarm strategy white list;
generating an alarm time stamp according to the trigger alarm time;
And organically combining the alarm content, the alarm time stamp and the alarm severity level to form an alarm message of the system element difference.
In one possible implementation manner, the transmitting the alarm message to the log server and the control center, triggering the alarm, includes:
the script transmits the alarm message to the log server and the control center;
The control center sends an alarm notification according to a preset alarm path;
And displaying the alarm message and the host state information to a preset large screen.
In a possible implementation manner, the configuration and real-time issuing of the custom alarm policy by the control center in response to a user operation include:
responding to user operation and customizing an alarm strategy through a control center;
responding to user operation to define network alarm strategy;
responding to user operation to define a process alarm strategy;
responding to user operation to define file alarm strategy;
And connecting each script in response to the user operation control center to realize real-time issuing and updating of the alarm strategy.
In a second aspect, an embodiment of the present invention provides a Linux operating system abnormal behavior analysis device, including:
The acquisition module is used for acquiring and registering host state information of the Linux server, pulling an alarm strategy from the control center and initializing a script; configuring a timing task, and acquiring system element information of a current Linux server at fixed time;
The analysis module is used for comparing the current system element information with the historical information in the configuration file to generate a difference report; combining the difference report with an alarm strategy to generate an alarm message; transmitting the alarm message to a log server and a control center, and triggering an alarm; and receiving the alarm strategy pushed by the control center, and realizing the real-time issuing of the strategy.
In a third aspect, an embodiment of the present invention provides a computer device, where the computer device includes a processor and a nonvolatile memory storing computer instructions, where the computer instructions, when executed by the processor, perform a Linux operating system abnormal behavior analysis method according to at least one possible implementation manner of the first aspect.
In a fourth aspect, an embodiment of the present invention provides a readable storage medium, where the readable storage medium includes a computer program, where the computer program controls a computer device where the readable storage medium is located to execute the method for analyzing abnormal behavior of a Linux operating system in at least one possible implementation manner of the first aspect.
Compared with the prior art, the invention has the beneficial effects that: the method for analyzing abnormal behavior of Linux operating system and the readable storage medium thereof are adopted, a self-defined alarm strategy is configured in advance in a control center, a script is deployed on a Linux server, the script firstly acquires host state information of the Linux server, the host state information is sent to the control center, registration of server information is realized, the alarm strategy is pulled from the control center, system element information of the server is acquired and stored in a configuration file mode, and initialization of the script is completed. And then configuring a timing task on a server, acquiring system element information such as the latest file state, process information and the like at fixed time, comparing the latest system element information with historical information in the configuration file to generate a difference report, and further matching the difference report with an alarm strategy to generate an alarm message. And finally, sending the alarm message to a log server and a control center to trigger an alarm. By the design, abnormal behaviors of the system can be rapidly found and positioned, so that the stability and the safety of the system are improved, and meanwhile, the efficiency of processing the abnormality is improved by adopting centralized management and analysis.
Drawings
In order to more clearly illustrate the technical solution of the embodiments of the present invention, the drawings that are required to be used in the embodiments will be briefly described. It is appreciated that the following drawings depict only certain embodiments of the invention and are therefore not to be considered limiting of its scope. Other relevant drawings may be made by those of ordinary skill in the art without undue burden from these drawings.
FIG. 1 is a schematic block diagram of a step flow of a method for analyzing abnormal behavior of a Linux operating system according to an embodiment of the present invention;
FIG. 2 is a schematic block diagram of a device for analyzing abnormal behavior of a Linux operating system according to an embodiment of the present invention;
Fig. 3 is a schematic block diagram of a computer device according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more clear, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention. It will be apparent that the described embodiments are some, but not all, embodiments of the invention. The components of the embodiments of the present invention generally described and illustrated in the figures herein may be arranged and designed in a wide variety of different configurations.
Thus, the following detailed description of the embodiments of the invention, as presented in the figures, is not intended to limit the scope of the invention, as claimed, but is merely representative of selected embodiments of the invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
It should be noted that: like reference numerals and letters denote like items in the following figures, and thus once an item is defined in one figure, no further definition or explanation thereof is necessary in the following figures.
In the description of the present invention, it should be understood that the directions or positional relationships indicated by the terms "upper", "lower", "inner", "outer", "left", "right", etc. are based on the directions or positional relationships shown in the drawings, or the directions or positional relationships conventionally put in place when the product of the application is used, or the directions or positional relationships conventionally understood by those skilled in the art are merely for convenience of describing the present invention and simplifying the description, and do not indicate or imply that the apparatus or elements to be referred to must have a specific direction, be constructed and operated in a specific direction, and thus should not be construed as limiting the present invention.
Furthermore, the terms "first," "second," and the like, are used merely to distinguish between descriptions and should not be construed as indicating or implying relative importance.
In the description of the present invention, it should also be noted that, unless explicitly specified and limited otherwise, terms such as "disposed," "connected," and the like are to be construed broadly, and for example, "connected" may be either fixedly connected, detachably connected, or integrally connected; can be mechanically or electrically connected; can be directly connected or indirectly connected through an intermediate medium, and can be communication between two elements. The specific meaning of the above terms in the present invention can be understood by those of ordinary skill in the art according to the specific circumstances.
The following describes specific embodiments of the present invention in detail with reference to the drawings.
In order to solve the technical problems in the background art, fig. 1 is a flow chart of a Linux operating system abnormal behavior analysis method provided in an embodiment of the disclosure, and the Linux operating system abnormal behavior analysis method is described in detail below.
Step S201, acquiring and registering host state and system element information of a Linux server, pulling an alarm strategy, and initializing a script;
Step S202, configuring a timing task on a server, and acquiring system element information of a current Linux server at fixed time, wherein the system element information comprises file states and processes;
Step S203, comparing the latest information with the history information in the configuration file each time the system element information is acquired, and generating a difference report;
step S204, combining the difference report with an alarm strategy to generate an alarm message;
Step S205, transmitting an alarm message to a log server and a control center, and triggering an alarm;
in step S206, the control center responds to the user operation to perform configuration and real-time issuing of the custom alarm strategy.
In the embodiment of the invention, it is assumed that a network security team wants to perform abnormal behavior analysis on a Linux server inside a company. They first log into the target server through the administrator rights and deploy the abnormal behavior analysis script. The script will detect the change of the system elements of the server at regular time and send an alarm to the log server and the control center according to the alarm strategy. When running for the first time, the script reads the state information such as the host name and IP of the server and sends the state information to the control center for host registration; reading system element information such as files, network connection and the like on a server, and finishing initialization of the information; and pulling the alarm strategy information from the server to finish the initialization of the script. The script sets a timing task on the server, periodically scans system element information of the current server, and compares the system element information with historical information in the configuration file to form a difference report. For information with difference, the user-defined alarm strategy is combined to generate alarm information comprising alarm content, time stamp and alarm severity level, and the alarm information is transmitted to a log server and a control center. Finally, the control center will integrate the alarm messages and notify the network security team or administrator to further investigation and processing. The alert information may be sent to the relevant personnel in the form of an email, a short message, or a system notification. The network security team can also perform configuration and real-time issuing of the custom alarm strategy through the control center.
In one possible implementation, the foregoing step S201 may be implemented by the following example execution.
(1) Acquiring host state information of a server, wherein the host state information comprises a host name, IP (Internet protocol), an operating system and a kernel, and sending the host name, the IP, the operating system and the kernel to a control center to register host information;
(2) The latest alarm strategy is pulled from the control center, so that the initialization of the local alarm strategy is realized;
(3) And acquiring system element information of the current server, wherein the system element information comprises file states and processes, and the file states and the processes are stored in a local configuration file to initialize the system element information and the script.
In the embodiment of the invention, an exemplary network security team logs on a Linux server and needs to install and run scripts, so that the change of the elements of the server system is monitored. Firstly, an executable file of a script needs to be uploaded to a server and run through SSH and the like. The script firstly reads the host name, IP, operating system, kernel version and script version information of the server, and sends the information to a control center to register host information; then, using an API interface provided by the control center to synchronize the latest alarm strategy from the control center; finally, the states of system elements such as the SSH key, the planning task, the network connection, the file, the DNS query record, the process state and the like of the server (the specific method will be described in detail in step S202) are read and stored in the local configuration file, and the local configuration file is used as a reference for the subsequent difference comparison to complete the initialization of the data and the script.
In one possible implementation, the foregoing step S202 may be implemented by the following example execution.
(1) Setting a crontab timing task, and acquiring system element information of the Linux server at fixed time;
(2) Acquiring SSH key information, wherein the SSH key information comprises a user name, a storage file, a remote host IP, key content and an addition date;
(3) Acquiring planning task configuration information, including a user name, task content and trigger conditions;
(4) Acquiring network connection information, including protocol type, remote host IP and related processes;
(5) Acquiring file state information, including a directory, a file name, rights, a file hash value and a modification date;
(6) Acquiring DNS query record information, including a queried domain name and response content of a DNS server;
(7) Acquiring process information of a server, wherein the process information comprises a user name, a control terminal and command content;
(8) And acquiring the software installation package information of the server, wherein the software installation package information comprises package names, version numbers and installation time.
In the embodiment of the present invention, the script is exemplified by the system elements that want to acquire the SSH key, the planning task, the network connection, the file, the DNS query record, the process state, and the like of the server. The script can acquire the information such as the user name, the affiliated file, the remote server IP, the key content and the like of the SSH key stored locally by reading the knowns_hosts and the authorized_keys file; the method comprises the steps that information such as a user name, task content and triggering conditions of a current planning task of a server is obtained through traversing all files under the/var/spool/cron/isocatalog; obtaining information such as IP, port, protocol and process of participating in connection of a remote host connected with a current network of a server through commands such as netstat; obtaining authority, hash value, modification date and other information of the catalogue and the file by traversing the hash values of the key catalogue such as the catalog/usr/bin,/usr/sbin and the key file such as the monitoring/etc/passwd; monitoring DNS query records of a server in a python program mode and the like, and acquiring the queried domain name and corresponding response information; inquiring the current process state of the server through ps and other commands, and acquiring the information of the user name, the control terminal, the command content and the like of the process; and acquiring a software installation package, a python third party library and other software package lists which are currently installed by the server through yum list, a pip list and other commands, and acquiring information such as package names, version numbers and the like of the software installation packages.
In one possible implementation, the aforementioned step S203 may be implemented by performing the following manner.
(1) Comparing SSH key information, including the increase and decrease of the key and the change of the corresponding attribute of each record;
(2) Comparing the configuration information of the planning task, including the increase and decrease of the planning task and the change of the corresponding attribute of each record;
(3) Comparing network connection information, including increase or decrease of network connection and change of corresponding attribute;
(4) Comparing file state information, including directory, increase and decrease of files and change of corresponding attributes;
(5) Comparing the DNS query record information, including the number of the newly added query records and the corresponding content;
(6) Comparing the process information of the server, including increase and decrease of the processes and change of the corresponding attributes of each process;
(7) Comparing software installation package information of the server, wherein the software installation package information comprises the increase and decrease of software packages and the change of each software package version;
(8) The changes in the server system elements are summarized as a variance analysis report.
In the embodiment of the invention, the script needs to compare the difference between the current system element information and the history information in the configuration file. The script reads the configuration file catalog, reads the historical system element information contents such as SSH keys, planning tasks and the like cached before, and compares the historical system element information contents with the latest system element information: comparing the difference of the information such as the user name of the SSH key which is newly added currently and the existing SSH key, the file to which the SSH key belongs, the remote server IP, the key content and the like; comparing the difference of the information such as the user name, the task content, the triggering condition and the like of the current newly added planning task and the existing planning task; comparing the difference of the information such as IP, port, protocol and progress of the connection of the current newly added network connection and the remote host of the existing network connection; comparing the differences of the information such as the authority, hash value, modification date and the like of the current newly added catalogue and file and the existing catalogue and file; comparing domain names queried by the currently newly added DNS query records with corresponding response information; comparing the difference of the information such as the user name, the control terminal, the command content and the like of the current newly added process and the existing process; and comparing the differences of the version package, the installation time and other information of the current newly-added software installation package and the existing software installation package. Finally, the script sums the differences into a difference analysis report.
In one possible implementation, the foregoing step S204 may be implemented by the following example execution.
(1) Based on the difference analysis report, determining the content, the alarm time and the alarm severity level of the alarm by combining the alarm strategy;
(2) Screening the content needing to be alarmed according to the alarm strategy white list;
(3) Generating an alarm time stamp according to the trigger alarm time;
(4) And organically combining the alarm content, the alarm time stamp and the alarm severity level to form an alarm message of the system element difference.
In the embodiment of the invention, the script obtains a difference analysis report of the system element information by way of example. Based on the difference information, the script combines with the locally stored alarm policy, the server determines the content of the triggered alarm (such as SSH key newly added item), the time of the alarm (such as last modification time of the report_hosts file) and the severity level of the alarm (such as warning, error and severity), and at the same time, the server further screens the alarm message according to the white list content of the alarm policy, thereby reducing the data scale. The script has determined the point in time at which the alarm was triggered, in which case an alarm time stamp would be generated for the alarm event for recording and tracking the alarm. The script determines the severity level of the alert, for example classifying the change in entries of the SSH key as alert level. Finally, the script combines the alarm content, the alarm time stamp and the alarm severity level to form a triplet, thus forming an alarm message.
In one possible implementation, the aforementioned step S205 may be implemented by the following example execution.
(1) The script transmits the alarm message to the log server and the control center;
(2) The control center sends an alarm notification according to a preset alarm path;
(3) And displaying the alarm statistical information and the host state information to a preset large screen.
In an embodiment of the invention, the script generates an alert message of the change in a server system element, for example. The script transmits the alarm message to the log server (e.g. ELK) through the UDP protocol, and then the control center pulls the information of the log server, and sends the alarm message (e.g. mail, sms) through a preset channel. After sending the alarm messages, the control center can uniformly display the alarm messages from each script, and can also count based on the alarm messages to generate the number, the type and other related information of the alarms. Meanwhile, the server can also acquire host state information of the target Linux server, such as CPU utilization rate, memory occupation condition, disk space and the like. In order to facilitate the monitoring and the checking of the management team, a preset large screen is arranged in the office area of the network security team. The server displays the generated alarm statistics and host state information in a chart, table or other forms on the large screen for team members to monitor and analyze in real time. By adopting the design, team members can quickly know the alarm condition of the object to be tested and the host state of the target Linux server through visual and real-time display, thereby timely taking corresponding measures
In one possible implementation, the aforementioned step S206 may be implemented by the following example execution.
(1) A user can customize an alarm strategy through a control center;
(2) The user can customize the network alarm strategy;
(3) The user can customize the process alarm strategy;
(4) The user can customize the file alarming strategy;
(5) The control center can be connected with each script to realize the real-time issuing and updating of the alarm strategy.
In the embodiment of the invention, the network security team needs to decide the content of the alarm to be received through the custom alarm strategy by way of example. They can set up custom network, process and file alarm strategies through the control center, including the white list of the network connection of the alarms, the specific content, severity level and transmission channel of the alarms, etc., to decide the script monitoring and the content of the alarm transmission. After the security team configures the alarm strategy to click and save, the control center can communicate with the script to issue the strategy in real time, so as to ensure that the strategy takes effect in time.
The following provides an overall implementation of an embodiment of the present invention.
(1) And (3) data acquisition: data collection is one of the key steps of the invention, and by executing scripts on a target Linux server, we can acquire various information including files, directories, network connections, processes, planning tasks, software installation packages and the like. These data are generated in the form of text profiles for subsequent comparison.
(2) Data comparison: the comparison is a core process of monitoring, after each time of executing the acquisition script, the generated configuration file is compared with the last acquired result, and the step is helpful for identifying various changes, such as new files, catalogues, deleted processes and the like, and the data comparison aims at detecting abnormal behaviors and potential threats.
(3) And (3) data transmission: once the fluctuation is detected, the fluctuation information and the alarm strategy generate alarm information, and the alarm information is transmitted to a predefined log platform and a control center in a UDP mode, and the UDP protocol is used for reducing transmission delay and ensuring the real-time performance of the information. Data transmission enables us to send the monitoring results to a centralized location for further analysis and processing.
(4) Planning task execution: the execution frequency of the monitoring system is configured by the user through the planning task, which allows the user to customize the execution interval to meet different monitoring requirements. For example, the user may set up to monitor once per minute or once per hour, depending on their needs for the system.
(5) Alarm strategy: at the control center, the user can set an alarm strategy according to specific requirements. The alert policy may include when the alert is triggered, the severity level of the alert, and the manner of notification (e.g., email, corporate WeChat, spike, etc.). This ensures that the user gets informed in time when an abnormal event occurs.
(6) And (3) large screen display: the user can observe the system safety condition in real time through the large screen function, including installation statistics, version statistics, process alarm statistics, network connection alarm statistics, file alarm statistics and the like.
Specifically, the implementation can be performed by the following procedure.
A. configuration script: the user needs to run the script of the present invention on the server that needs to be monitored.
B. script execution: when the script runs for the first time, information such as host name and IP of the host is collected to finish registration to the control center, the latest alarm strategy is pulled, system element information such as system files, catalogues, network connection, processes, planning tasks and software installation packages is acquired and is stored in the configuration file, and meanwhile, a timing task is set to acquire the latest information at fixed time.
C. Data comparison: the execution result is compared with the configuration file executed last time, and the comparison process is helpful for identifying the change in the system. This may include adding files, deleting files, network connection state changes, process start or stop, software package installation or uninstallation, and so forth.
D. And (3) data transmission: once the variation is detected, the result of the comparison will generate an alarm message and transmit it to the predefined log platform via the UDP protocol, the use of which helps to reduce the transmission delay, so as to ensure the real-time nature of the information.
E. Alarm policy setting: at the control center, the user may set alarm policies that determine when to trigger an alarm, and the user may define the severity level of the alarm, such as warning, emergency, crisis, etc. The alarm policy is issued to the script on the server in real time and is immediately validated.
F. Alarm notification: when the invention detects potential abnormal behaviors, corresponding alarms are triggered according to the alarm strategies of the users, and the users receive alarm notification in the modes of e-mail, enterprise WeChat, nailing and the like so that the users can take proper actions.
So design can realize automatic control and contrast: the automatic acquisition and comparison process of the invention greatly reduces the manual intervention requirement of users, so that the monitoring system has more real-time performance and efficiency. And (3) comprehensive data acquisition: by collecting multiple key data points, the present invention provides for more comprehensive system monitoring. Flexible alarm strategy: the user can configure the alarm strategy according to specific requirements so as to meet the requirements of different monitoring scenes. And (3) real-time transmission: and the UDP protocol is used for data transmission, so that monitoring data can be acquired quickly, and measures can be taken in time when system abnormality occurs. Scalability: the technical scheme of the invention can be easily expanded to support different monitoring targets and data acquisition scripts, and is suitable for various Linux server environments. This makes the invention very flexible and able to meet various monitoring needs.
Referring to fig. 2 in combination, fig. 2 is a schematic block diagram of a Linux operating system abnormal behavior analysis device 110 according to an embodiment of the present invention, where the block diagram includes:
The acquisition module is used for acquiring and registering host state information of the Linux server, pulling an alarm strategy from the control center and initializing a script; configuring a timing task, and acquiring system element information of a current Linux server at fixed time;
The analysis module is used for comparing the current system element information with the historical information in the configuration file to generate a difference report; combining the difference report with an alarm strategy to generate an alarm message; transmitting the alarm message to a log server and a control center, and triggering an alarm; and receiving the alarm strategy pushed by the control center, and realizing the real-time issuing of the strategy.
It should be noted that, the implementation principle of the Linux operating system abnormal behavior analysis device 110 may refer to the implementation principle of the Linux operating system abnormal behavior analysis method, which is not described herein. It should be understood that the division of the modules of the above apparatus is merely a division of a logic function, and may be fully or partially integrated into a physical entity or may be physically separated when actually implemented. And these modules may all be implemented in software in the form of calls by the processing element; or can be realized in hardware; the method can also be realized in a form of calling software by a processing element, and the method can be realized in a form of hardware by a part of modules. For example, the Linux operating system abnormal behavior analysis device 110 may be a processing element that is set up alone, may be implemented in a chip of the device, or may be stored in a memory of the device in the form of a program code, and the function of the Linux operating system abnormal behavior analysis device 110 may be called and executed by a processing element of the device. The implementation of the other modules is similar. In addition, all or part of the modules can be integrated together or can be independently implemented. The processing element described herein may be an integrated circuit having signal processing capabilities. In implementation, each step of the above method or each module above may be implemented by an integrated logic circuit of hardware in a processor element or an instruction in a software form.
For example, the modules above may be one or more integrated circuits configured to implement the methods above, such as: one or more Application SPECIFIC INTEGRATED Circuits (ASIC), or one or more microprocessors (DIGITAL SIGNAL processors, DSP), or one or more field programmable gate arrays (fieldprogrammable GATE ARRAY, FPGA), etc. For another example, when a module above is implemented in the form of processing element scheduler code, the processing element may be a general purpose processor, such as a central processing unit (centralprocessing unit, CPU) or other processor that may invoke the program code. For another example, the modules may be integrated together and implemented in the form of a system-on-a-chip (SOC).
The embodiment of the invention provides a computer device 100, where the computer device 100 includes a processor and a nonvolatile memory storing computer instructions, and when the computer instructions are executed by the processor, the computer device 100 executes the Linux operating system abnormal behavior analysis apparatus 110. As shown in fig. 3, fig. 3 is a block diagram of a computer device 100 according to an embodiment of the present invention. The computer device 100 includes a Linux operating system abnormal behavior analysis apparatus 110, a memory 111, a processor 112, and a communication unit 113.
For data transmission or interaction, the memory 111, the processor 112 and the communication unit 113 are electrically connected to each other directly or indirectly. For example, the elements may be electrically connected to each other via one or more communication buses or signal lines. The Linux operating system abnormal behavior analyzing apparatus 110 includes at least one software function module that may be stored in the memory 111 in the form of software or firmware (firmware) or cured in an Operating System (OS) of the computer device 100. The processor 112 is configured to execute the Linux operating system abnormal behavior analysis device 110 stored in the memory 111, for example, a software function module and a computer program included in the Linux operating system abnormal behavior analysis device 110.
The embodiment of the invention provides a readable storage medium, which comprises a computer program, wherein the computer program controls computer equipment where the readable storage medium is located to execute the method for analyzing abnormal behaviors of a Linux operating system when running.
The foregoing description, for purpose of explanation, has been presented with reference to particular embodiments. The illustrative discussions above are not intended to be exhaustive or to limit the disclosure to the precise forms disclosed. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the disclosure and its practical application, to thereby enable others skilled in the art to best utilize the disclosure and various embodiments with various modifications as are suited to the particular use contemplated. The foregoing description, for purpose of explanation, has been presented with reference to particular embodiments. The illustrative discussions above are not intended to be exhaustive or to limit the disclosure to the precise forms disclosed. Many modifications and variations are possible in light of the above teaching. The embodiments were chosen and described in order to best explain the principles of the disclosure and its practical application, to thereby enable others skilled in the art to best utilize the disclosure and various embodiments with various modifications as are suited to the particular use contemplated.

Claims (10)

1. The method for analyzing the abnormal behavior of the Linux operating system is characterized by comprising the following steps of:
Acquiring and registering host state and system element information of a Linux server, pulling an alarm strategy, and initializing a script;
configuring a timing task on a server, and acquiring system element information of a current Linux server at fixed time, wherein the system element information comprises a file state and a process;
Comparing the latest information with the historical information in the configuration file each time the system element information is acquired, and generating a difference report;
combining the difference report with an alarm strategy to generate an alarm message;
Transmitting the alarm message to a log server and a control center, and triggering an alarm;
The control center responds to the user operation to carry out the configuration and real-time issuing of the self-defined alarm strategy.
2. The method of claim 1, wherein the obtaining and registering host state and system element information of the Linux server, pulling an alarm policy, and initializing a script comprises:
acquiring host state information of a server, wherein the host state information comprises a host name, IP (Internet protocol), an operating system and a kernel, and sending the host name, the IP, the operating system and the kernel to a control center to register host information;
The latest alarm strategy is pulled from the control center, so that the initialization of the local alarm strategy is realized;
And acquiring system element information of the current server, wherein the system element information comprises file states and processes, and the file states and the processes are stored in a local configuration file to initialize the system element information and the script.
3. The method according to claim 1, wherein the configuring a timing task on the server, and acquiring system element information of the current Linux server at a timing, the system element information including a file state and a process, includes:
Setting a crontab timing task, and acquiring system element information of the Linux server at fixed time;
acquiring SSH key information, wherein the SSH key information comprises a user name, a storage file, a remote host IP, key content and an addition date;
Acquiring planning task configuration information, including a user name, task content and trigger conditions;
Acquiring network connection information, including protocol type, remote host IP and related processes;
Acquiring file state information, including a directory, a file name, rights, a file hash value and a modification date;
acquiring DNS query record information, including a queried domain name and response content of a DNS server;
Acquiring process information of a server, wherein the process information comprises a user name, a control terminal and command content;
And acquiring the software installation package information of the server, wherein the software installation package information comprises package names, version numbers and installation time.
4. The method of claim 1, wherein each time system element information is obtained, comparing the latest information with the historical information in the configuration file to generate a difference report, comprising:
comparing SSH key information, including the increase and decrease of the key and the change of the corresponding attribute of each record;
comparing the configuration information of the planning task, including the increase and decrease of the planning task and the change of the corresponding attribute of each record;
Comparing network connection information, including increase or decrease of network connection and change of corresponding attribute;
comparing file state information, including directory, increase and decrease of files and change of corresponding attributes;
comparing the DNS query record information, including the number of the newly added query records and the corresponding content;
Comparing the process information of the server, including increase and decrease of the processes and change of the corresponding attributes of each process;
comparing software installation package information of the server, wherein the software installation package information comprises the increase and decrease of software packages and the change of each software package version;
and summarizing the changes of the system elements of the server into a difference report.
5. The method of claim 1, wherein the combining the discrepancy report with the alert policy, generating the alert message, comprises:
Based on the difference report, determining the content of the alarm, the time for triggering the alarm and the alarm severity level by combining the alarm strategy;
screening the content needing to be alarmed according to the alarm strategy white list;
generating an alarm time stamp according to the trigger alarm time;
And organically combining the alarm content, the alarm time stamp and the alarm severity level to form an alarm message of the system element difference.
6. The method of claim 5, wherein transmitting the alert message to the log server and the control center triggers the alert, comprising:
the script transmits the alarm message to the log server and the control center;
The control center sends an alarm notification according to a preset alarm path;
And displaying the alarm message and the host state information to a preset large screen.
7. The method of claim 1, wherein the control center performs configuration and real-time delivery of the custom alarm policy in response to user operations, comprising:
responding to user operation and customizing an alarm strategy through a control center;
responding to user operation to define network alarm strategy;
responding to user operation to define a process alarm strategy;
responding to user operation to define file alarm strategy;
And connecting each script in response to the user operation control center to realize real-time issuing and updating of the alarm strategy.
8. An abnormal behavior analysis device for a Linux operating system, comprising:
The acquisition module is used for acquiring and registering host state information of the Linux server, pulling an alarm strategy from the control center and initializing a script; configuring a timing task, and acquiring system element information of a current Linux server at fixed time;
The analysis module is used for comparing the current system element information with the historical information in the configuration file to generate a difference report; combining the difference report with an alarm strategy to generate an alarm message; transmitting the alarm message to a log server and a control center, and triggering an alarm; and receiving the alarm strategy pushed by the control center, and realizing the real-time issuing of the strategy.
9. A computer device comprising a processor and a non-volatile memory storing computer instructions that, when executed by the processor, perform the Linux operating system exception behavior analysis method of any of claims 1-7.
10. A readable storage medium, wherein the readable storage medium comprises a computer program, and the computer program controls a computer device where the readable storage medium is located to execute the Linux operating system abnormal behavior analysis method according to any one of claims 1-7 when running.
CN202410193369.2A 2024-02-21 2024-02-21 Abnormal behavior analysis method of Linux operating system and readable storage medium Pending CN118245333A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202410193369.2A CN118245333A (en) 2024-02-21 2024-02-21 Abnormal behavior analysis method of Linux operating system and readable storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202410193369.2A CN118245333A (en) 2024-02-21 2024-02-21 Abnormal behavior analysis method of Linux operating system and readable storage medium

Publications (1)

Publication Number Publication Date
CN118245333A true CN118245333A (en) 2024-06-25

Family

ID=91559460

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202410193369.2A Pending CN118245333A (en) 2024-02-21 2024-02-21 Abnormal behavior analysis method of Linux operating system and readable storage medium

Country Status (1)

Country Link
CN (1) CN118245333A (en)

Similar Documents

Publication Publication Date Title
US7712133B2 (en) Integrated intrusion detection system and method
US9658914B2 (en) Troubleshooting system using device snapshots
CN103490941B (en) A kind of cloud computing environment monitors Configuration Online method in real time
US8966044B2 (en) Methods for displaying physical network topology and environmental status by location, organization, or responsible party
EP2284757A1 (en) Security vulnerability information aggregation
US11789760B2 (en) Alerting, diagnosing, and transmitting computer issues to a technical resource in response to an indication of occurrence by an end user
CN112486629B (en) Micro-service state detection method, micro-service state detection device, electronic equipment and storage medium
CN114884838B (en) Monitoring method and server of Kubernetes component
US20110054964A1 (en) Automatic Documentation of Ticket Execution
CN112698915A (en) Multi-cluster unified monitoring alarm method, system, equipment and storage medium
CN105404581A (en) Database evaluation method and device
CN112988439B (en) Server fault discovery method and device, electronic equipment and storage medium
WO2006117832A1 (en) In-operation system check processing device, method, and program thereof
CN111953558A (en) Sensitive information monitoring method and device, electronic equipment and storage medium
CN113138886A (en) Method and device for testing embedded equipment and testing equipment
CN111949483A (en) Monitoring device and monitoring system
WO2024119843A1 (en) Data acquisition method and apparatus and computer device
US20060053021A1 (en) Method for monitoring and managing an information system
Huang et al. PDA: A Tool for Automated Problem Determination.
CN118245333A (en) Abnormal behavior analysis method of Linux operating system and readable storage medium
WO2019241199A1 (en) System and method for predictive maintenance of networked devices
CN110727555A (en) Service interface management method, device, medium and computer equipment
US20210306239A1 (en) Determining Operational Status of Internet of Things Devices
CN115934453A (en) Troubleshooting method, troubleshooting device and storage medium
CN112667281A (en) Configuration information processing method and device

Legal Events

Date Code Title Description
PB01 Publication
SE01 Entry into force of request for substantive examination