[go: up one dir, main page]

WO2020211251A1 - Monitoring method and apparatus for operating system - Google Patents

Monitoring method and apparatus for operating system Download PDF

Info

Publication number
WO2020211251A1
WO2020211251A1 PCT/CN2019/103404 CN2019103404W WO2020211251A1 WO 2020211251 A1 WO2020211251 A1 WO 2020211251A1 CN 2019103404 W CN2019103404 W CN 2019103404W WO 2020211251 A1 WO2020211251 A1 WO 2020211251A1
Authority
WO
WIPO (PCT)
Prior art keywords
parameter
command
indication information
monitoring data
determining
Prior art date
Application number
PCT/CN2019/103404
Other languages
French (fr)
Chinese (zh)
Inventor
秦天欢
Original Assignee
平安科技(深圳)有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 平安科技(深圳)有限公司 filed Critical 平安科技(深圳)有限公司
Publication of WO2020211251A1 publication Critical patent/WO2020211251A1/en

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/004Error avoidance
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/008Reliability or availability analysis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/30Monitoring
    • G06F11/3003Monitoring arrangements specially adapted to the computing system or computing system component being monitored
    • G06F11/302Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system component is a software system

Definitions

  • This application relates to the field of intelligent decision-making, and more specifically, to a method and device for monitoring an operating system in the field of intelligent decision-making.
  • the inventor realizes that the industry usually records the user's login log on the operating system through a bastion machine, but cannot provide an analysis based on this log. That is to say, the existing methods cannot analyze which operations will threaten the security of the system and take protective measures to the operating system in time.
  • the present application provides a method and device for monitoring an operating system, which can identify the risk level of commands executed by a user on the operating system, which is beneficial to improve the security of the operating system.
  • this application provides a method for monitoring an operating system, including the following content:
  • the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
  • a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
  • the risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  • determining the command vector according to the monitoring data includes: determining the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, the parameter type including high Frequency parameter or low frequency parameter; the parameter indication information is determined according to the parameter type.
  • this application also provides a monitoring device for an operating system, which specifically includes:
  • An obtaining unit configured to obtain monitoring data of a user, the monitoring data including a target command executed by the user on the operating system and parameters of the target command;
  • the determining unit is configured to determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication Information is used to indicate the parameter type of the parameter; the risk level of the target command is determined according to the command vector and the risk analysis model, and the risk analysis model is used to indicate the difference between the command vector and the risk level A mapping relationship, where the risk level includes dangerous operations or non-dangerous operations.
  • the present application also provides a computer device, including a memory, a processor, a communication interface, and a computer program stored on the memory and running on the processor, wherein the memory, the The processor and the communication interface communicate with each other through an internal connection path, and the processor implements the following steps of the above method when the processor executes the computer program:
  • the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
  • a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
  • the risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  • the present application also provides a non-volatile computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps of the foregoing method are implemented:
  • the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
  • a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
  • the risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  • Using the operating system monitoring method, device, computer equipment, and non-volatile computer-readable storage medium provided in the present application can identify the risk level of commands executed by the user on the operating system, thereby improving the security of the operating system.
  • FIG. 1 is a schematic flowchart of a method for monitoring an operating system provided by an embodiment of the present application
  • FIG. 2 is a schematic flowchart of another operating system monitoring method provided by an embodiment of the present application.
  • FIG. 3 is a schematic block diagram of an operating system monitoring device provided by an embodiment of the present application.
  • Fig. 4 is a schematic block diagram of another operating system monitoring device provided by an embodiment of the present application.
  • FIG. 1 shows a schematic flowchart of a method 100 for monitoring an operating system provided by an embodiment of the present application. It should be understood that the method 100 may be executed by a monitoring device of an operating system.
  • the monitoring device may be a computer, or may be a functional module in the computer, which is not limited in the embodiment of the present application.
  • S110 Obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and a parameter of the target command.
  • the monitoring device can acquire at least one command executed by the user on the operating system within a preset time period and the parameter of each command in the at least one command, where the at least one command includes the target Command; Obtain the target command and the parameters of the target command from the monitoring data.
  • the target command can be any one of the at least one command.
  • the monitoring device obtains a list of commands executed by the user.
  • the list of commands includes all the commands executed by the user and the parameters of each command.
  • the monitoring device can sequentially use each command in the command list as a target command.
  • the monitoring device may determine the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, and the parameter type includes a high-frequency parameter or a low-frequency parameter; The parameter type determines the parameter indication information. (When at least one parameter is included in the monitoring data)
  • /home/wls81 appears 1100 times
  • mysql.cnf appears 1200 times
  • mysqld restart appears 1233 times
  • -trlah appears 82 times.
  • the first two occurrences are mysqld restart and mysql.cnf, which are high-frequency parameters; the ones that appear after the first two are /home/wls81 and -trlah, which are low-frequency parameters.
  • the monitoring device determines that the parameter is a high-frequency parameter; or when the parameter appears in the monitoring data When the number of times is less than the preset number of times, the monitoring device determines that the parameter is a low-frequency parameter.
  • mysqld restart appears 1233 times
  • mysql.cnf appears 1200 times
  • /home/wls81 appears 1100 times
  • -trlah appears 82 times
  • the preset number is 1200 times.
  • the number of occurrences of mysqld restart and mysql.cnf is greater than or equal to the preset number of 1200, which is the high frequency parameter; the frequency of /home/wls81 and -trlah is less than the preset number of 1200, which is the low frequency parameter.
  • the monitoring device may determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter; and determine the parameter type according to the parameter type.
  • the parameter indication information may be determined.
  • the importance levels of mysql.cnf and mysqld restart are both important, and the importance levels of /home/wls81 and -trlah are not important.
  • mysql.cnf and mysqld restart are key parameters, and /home/wls81 and -trlah are non-key parameters.
  • the monitoring device determines that the parameter is a key parameter; or when the importance level of the parameter is less than the preset level, the monitoring device determines The parameters are non-critical parameters.
  • the importance level of mysqld restart is 4, the importance level of mysql.cnf is 3, the importance level of /home/wls81 is 1, the importance level of -trlah is 0, and the default level is 2.
  • determining the parameter indication information according to the parameter type may be: when the parameter is a high-frequency parameter or a key parameter, the monitoring device determines that the parameter indication information is an identifier of the parameter; or When the parameter is a low-frequency parameter or a non-critical parameter, the monitoring device determines that the parameter indication information is a first identifier, and the first identifier is used to identify all low-frequency parameters or non-critical parameters.
  • mysql.cnf and mysqld restart are high-frequency parameters/key parameters, and /home/wls81 and -trlah are low-frequency parameters/non-key parameters.
  • the identifier of mysqld restart is 1
  • the identifier of mysql.cnf is 2
  • the first The identifier is 0, and the first identifier is used to identify low-frequency parameters/non-critical parameters.
  • the parameter indication information of mysqld restart is 1, the parameter indication information of mysql.cnf is 2, and the parameter indication information of home/wls81 and -trlah is 0.
  • the command indication information in the command vector is the identifier of the target command.
  • the identifier of cd is 1, the identifier of ls is 2, the identifier of vi is 3, and the identifier of service is 4.
  • the command indication information of cd is 1
  • the command indication information of ls is 2
  • the command indication information of vi is 3
  • the command indication information of service is 4.
  • each row in the above command list can get a corresponding vector, as shown in Table 2.
  • S130 Determine the risk level of the target command according to the command vector and the risk analysis model, where the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes danger Operation or non-hazardous operation.
  • the method further includes: outputting risk level indication information, where the risk level indication information is used to indicate the risk level of the target command.
  • dangerous operations may include prohibited operations or high-risk operations
  • non-dangerous operations may include normal operations and low-risk operations.
  • normal operation output 0, low-risk operation output 1, high-risk operation output 2, and prohibited operation output 3.
  • the method further includes: when the target command is a dangerous operation, sending an alarm notification to the staff.
  • the target command is a high-risk operation
  • an alarm notification is sent to the staff by email or text message
  • the target command is a prohibited operation
  • an alarm notification is sent to the staff by phone or the execution of the target command is prohibited .
  • the method further includes training the risk analysis model.
  • the command vector of each command and the risk level of each command among the multiple commands executed by the user on the operating system are acquired; the command vector of each command and the risk of each command The level is input into the LSTM network, and the risk analysis model is obtained by training.
  • the risk analysis model trains an optimal model through the LSTM model algorithm for the command vector of each command in a plurality of commands and the risk level of each command.
  • This model belongs to a set of functions. Excellent means that the output closest to the actual result can be obtained according to the input under a certain evaluation criterion, so that the command vector of the input command can be mapped to the risk level of the corresponding output command through the risk analysis model.
  • the risk analysis model may be based on one or coding-decoding model framework, for example, it may be based on the LSTM model, or may be based on convolutional neural networks (convolutional neural networks, CNN), recurrent neural networks (recurrent neural networks, RNN) , Bidirectional recurrent neural networks (BiRNN), gated recurrent units (GRU) models, etc.
  • CNN convolutional neural networks
  • RNN recurrent neural networks
  • BiRNN Bidirectional recurrent neural networks
  • GRU gated recurrent units
  • LSTM Long Short-Term Memory
  • LSTM Long Short-Term Memory
  • the structure of this processor is called a cell. Three doors are placed in a cell, which are called input gate, forget gate and output gate.
  • input gate Three doors are placed in a cell, which are called input gate, forget gate and output gate.
  • FIG. 2 shows a schematic flowchart of a method 200 for monitoring an operating system provided by an embodiment of the present application. It should be understood that the method 200 may be executed by a monitoring device of an operating system.
  • S210 Acquire a command vector of each command and a risk level of each command among multiple commands executed by the user on the operating system, where the command vector of each command includes first command indication information and first parameter indication information
  • the first command indication information is used to indicate each command
  • the first parameter indication information is used to indicate a parameter type of a parameter of each command
  • the risk level includes a dangerous operation or a non-dangerous operation.
  • S220 Input the command vector of each command and the risk level of each command into the LSTM network, and train a risk analysis model.
  • the risk analysis model trains an optimal model through the LSTM model algorithm for the command vector of each command in a plurality of commands and the risk level of each command.
  • This model belongs to a set of functions. Excellent means that the output closest to the actual result can be obtained according to the input under a certain evaluation criterion, so that the command vector of the input command can be mapped to the risk level of the corresponding output command through the risk analysis model.
  • S230 Obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and a parameter of the target command.
  • S240 Determine a command vector of the target command according to the monitoring data, where the command vector of the target command includes second command indication information and second parameter indication information, and the second command indication information is used to indicate the target Command, the second parameter indication information is used to indicate the parameter type of the parameter.
  • S250 Determine the risk level of the target command according to the command vector of the target command and the risk analysis model, where the risk analysis model is used to indicate the mapping relationship between the command vector and the risk level.
  • the method further includes: outputting risk level indication information, where the risk level indication information is used to indicate the risk level of the target command.
  • the method further includes: when the target command is a dangerous operation, sending an alarm notification to the staff.
  • FIG. 3 shows a schematic block diagram of an operating system monitoring device 300 provided in an embodiment of the present application.
  • the device 300 includes:
  • the obtaining unit 310 is configured to obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and parameters of the target command;
  • the determining unit 320 is configured to determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used to indicate the target command, the parameter The indication information is used to indicate the parameter type of the parameter; the risk level of the target command is determined according to the command vector and the risk analysis model, and the risk analysis model is used to indicate the difference between the command vector and the risk level
  • the risk level includes hazardous operations or non-hazardous operations.
  • the determining unit is specifically configured to determine the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, and the parameter type includes a high-frequency parameter or a low-frequency parameter; according to the parameter Type to determine the parameter indication information.
  • the determining unit is specifically configured to determine that the parameter is a high-frequency parameter when the number of times the parameter appears in the monitoring data is greater than or equal to a preset number; or when the parameter is in the monitoring data When the number of occurrences in the data is less than the preset number of times, it is determined that the parameter is a low frequency parameter.
  • the determining unit is specifically configured to determine that the parameter indication information is an identifier of the parameter when the parameter is a high-frequency parameter; or determine the parameter indication information when the parameter is a low-frequency parameter It is a first identifier, and the first identifier is used to identify all low-frequency parameters.
  • the determining unit is specifically configured to determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter; and determine the parameter indication according to the parameter type information.
  • the determining unit is specifically configured to determine that the parameter is a key parameter when the importance level of the parameter is greater than or equal to a preset level; or when the importance level of the parameter is less than the preset level, Determine that the parameters are non-critical parameters.
  • the determining unit is specifically configured to determine that the parameter indication information is the identifier of the parameter when the parameter is a key parameter; or determine the parameter indication information when the parameter is a non-critical parameter It is a first identifier, and the first identifier is used to identify all non-critical parameters.
  • the device further includes a training unit, and the acquiring unit is further configured to acquire the information executed by the user on the operating system before determining the risk level of the target command according to the command vector and the risk analysis model.
  • FIG. 4 shows a schematic block diagram of a hardware architecture of a computer device of an operating system provided in an embodiment of the present application.
  • the computer device may be an apparatus 400.
  • the computer device may include a processor 410, a communication interface 420, and a memory 430, and the processor 410, the communication interface 420, and the memory 430 communicate with each other through an internal connection path.
  • the related functions implemented by the determining unit 320 in FIG. 3 may be implemented by the processor 410, and the related functions implemented by the acquiring unit 310 in FIG. 3 may be implemented by the processor 410 controlling the communication interface 420.
  • the processor 410 may include one or more processors, for example, one or more central processing units (CPU).
  • processors for example, one or more central processing units (CPU).
  • CPU central processing units
  • the CPU may be a single-core CPU or It can be a multi-core CPU.
  • the communication interface 420 is used to input and/or output data.
  • the communication interface may include a sending interface and a receiving interface, the sending interface is used for outputting data, and the receiving interface is used for inputting data.
  • the memory 430 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable memory (erasable read only memory, EPROM), and read-only memory.
  • RAM random access memory
  • ROM read-only memory
  • EPROM erasable read only memory
  • read-only memory erasable read only memory
  • a compact disc read-only memory, CD-ROM
  • the memory 430 is used to store related instructions and data.
  • the memory 430 is used to store program codes and data of the device, and may be a separate device or integrated in the processor 410.
  • the processor 410 is configured to control the communication interface 420 to call the code instructions stored in the memory 430 and execute the code instructions.
  • the processor 410 is configured to control the communication interface 420 to call the code instructions stored in the memory 430 and execute the code instructions.
  • FIG. 4 only shows a simplified design of the computer device.
  • the computer equipment may also contain other necessary components, including but not limited to any number of communication interfaces, processors, controllers, memories, etc., and all devices that can implement the application are protected by this application. Within range.
  • the computer device may be replaced with a chip device, for example, a chip that can be used in the device to implement related functions of the processor 410 in the device.
  • the chip device can be a field programmable gate array, a dedicated integrated chip, a system chip, a central processing unit, a network processor, a digital signal processing circuit, a microcontroller, and a programmable controller or other integrated chips for realizing related functions.
  • the chip may optionally include one or more memories for storing program codes. When the codes are executed, the processor realizes corresponding functions.
  • the disclosed system, device, and method may be implemented in other ways.
  • the device embodiments described above are only illustrative.
  • the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented.
  • the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
  • the units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
  • each unit in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
  • the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium.
  • the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a computer-readable storage medium.
  • the computer-readable storage medium includes a volatile computer-readable storage medium and a non-transitory computer-readable storage medium, and includes a number of instructions to enable a computer device (which may be a personal computer, a server, or a network device) Etc.) Perform all or part of the steps of the method described in each embodiment of the present application.
  • the aforementioned storage media include: U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk and other media that can store program codes.

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Quality & Reliability (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computing Systems (AREA)
  • Mathematical Physics (AREA)
  • Debugging And Monitoring (AREA)
  • Alarm Systems (AREA)

Abstract

Disclosed are a monitoring method and apparatus for an operating system. The method comprises: acquiring monitoring data of a user, the monitoring data comprising a target command executed by the user on the operating system and a parameter of the target command (S110); determining, according to the monitoring data, a command vector of the target command, the command vector comprising command indication information and parameter indication information, the command indication information being used for indicating the target command and the parameter indication information being used for indicating the parameter type of the parameter (S120); and determining, according to the command vector and a risk analysis model, a risk level of the target command, the risk analysis model being used for representing a mapping relationship between the command vector and the risk level, the risk level comprising a dangerous operation or a non-dangerous operation (S130). By using the monitoring method and apparatus for the operating system, the risk level of the command executed by the user on the operating system can be identified, and the security of the operating system can be improved.

Description

操作系统的监控方法和装置Operating system monitoring method and device
本申请申明享有2019年4月16日递交的申请号为201910301822.6、名称为“操作系统的监控方法和装置”的中国专利申请的优先权,该中国专利申请的整体内容以参考的方式结合在本申请中。This application affirms that it enjoys the priority of a Chinese patent application filed on April 16, 2019 with the application number 201910301822.6 and titled "Operating System Monitoring Method and Device". The entire content of the Chinese patent application is incorporated herein by reference. Applying.
技术领域Technical field
本申请涉及智能决策领域,并且更具体地,涉及智能决策领域中操作系统的监控方法和装置。This application relates to the field of intelligent decision-making, and more specifically, to a method and device for monitoring an operating system in the field of intelligent decision-making.
背景技术Background technique
随着信息技术的不断发展,操作系统的系统安全所带来的挑战越累越严峻。及时发现异常登陆执行的危险操作,能够避免系统安全受损。With the continuous development of information technology, the challenges brought by the system security of the operating system become more and more severe. Timely detection of dangerous operations performed by abnormal logins can avoid system safety damage.
发明人意识到业内通常通过堡垒机的方式记录用户在操作系统上的登录日志,但是并不能够提供基于这份日志的分析。也就是说,现有的方法无法分析出哪些操作会对系统安全产生威胁,并及时对操作系统采取保护措施。The inventor realizes that the industry usually records the user's login log on the operating system through a bastion machine, but cannot provide an analysis based on this log. That is to say, the existing methods cannot analyze which operations will threaten the security of the system and take protective measures to the operating system in time.
因此,当前对于用户在操作系统上执行的敏感指令缺乏有效的监控。Therefore, there is currently a lack of effective monitoring of sensitive instructions executed by users on the operating system.
发明内容Summary of the invention
本申请提供一种操作系统的监控方法和装置,能够识别出用户在操作系统上执行的命令的风险级别,有利于提高操作系统的安全性。The present application provides a method and device for monitoring an operating system, which can identify the risk level of commands executed by a user on the operating system, which is beneficial to improve the security of the operating system.
为实现上述目的,本申请提供一种操作系统的监控方法,包括以下内容:In order to achieve the above objectives, this application provides a method for monitoring an operating system, including the following content:
获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
在一种可能的实现方式中,根据所述监控数据,确定命令向量,包括:根据所述参数 在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;根据所述参数类型,确定所述参数指示信息。In a possible implementation manner, determining the command vector according to the monitoring data includes: determining the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, the parameter type including high Frequency parameter or low frequency parameter; the parameter indication information is determined according to the parameter type.
为实现上述目的,本申请还提供一种操作系统的监控装置,该装置具体包括:In order to achieve the above objective, this application also provides a monitoring device for an operating system, which specifically includes:
获取单元,用于获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;An obtaining unit, configured to obtain monitoring data of a user, the monitoring data including a target command executed by the user on the operating system and parameters of the target command;
确定单元,用于根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The determining unit is configured to determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication Information is used to indicate the parameter type of the parameter; the risk level of the target command is determined according to the command vector and the risk analysis model, and the risk analysis model is used to indicate the difference between the command vector and the risk level A mapping relationship, where the risk level includes dangerous operations or non-dangerous operations.
为实现上述目的,本申请还提供一种计算机设备,包括存储器、处理器、通信接口以及存储在所述存储器上并可在所述处理器上运行的计算机程序,其中,所述存储器、所述处理器以及所述通信接口之间通过内部连接通路互相通信,所述处理器执行所述计算机程序时实现上述方法的以下步骤:In order to achieve the above object, the present application also provides a computer device, including a memory, a processor, a communication interface, and a computer program stored on the memory and running on the processor, wherein the memory, the The processor and the communication interface communicate with each other through an internal connection path, and the processor implements the following steps of the above method when the processor executes the computer program:
获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
为实现上述目的,本申请还提供一种非易失性计算机可读存储介质,其上存储有计算机程序,所述计算机程序被处理器执行时实现上述方法的以下步骤:To achieve the foregoing objective, the present application also provides a non-volatile computer-readable storage medium on which a computer program is stored, and when the computer program is executed by a processor, the following steps of the foregoing method are implemented:
获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
采用本申请提供的操作系统的监控方法、装置、计算机设备和非易失性计算机可读存储介质,能够识别出用户在操作系统上执行的命令的风险级别,从而提高操作系统的安全性。Using the operating system monitoring method, device, computer equipment, and non-volatile computer-readable storage medium provided in the present application can identify the risk level of commands executed by the user on the operating system, thereby improving the security of the operating system.
附图说明Description of the drawings
图1是本申请实施例提供的操作系统的监控方法的示意性流程图;FIG. 1 is a schematic flowchart of a method for monitoring an operating system provided by an embodiment of the present application;
图2是本申请实施例提供的另一操作系统的监控方法的示意性流程图;2 is a schematic flowchart of another operating system monitoring method provided by an embodiment of the present application;
图3是本申请实施例提供的操作系统的监控装置的示意性框图;FIG. 3 is a schematic block diagram of an operating system monitoring device provided by an embodiment of the present application;
图4是本申请实施例提供的另一操作系统的监控装置示意性框图。Fig. 4 is a schematic block diagram of another operating system monitoring device provided by an embodiment of the present application.
具体实施方式detailed description
为了使本申请的目的、技术方案及优点更加清楚明白,以下结合附图及实施例,对本申请进行进一步详细说明。应当理解,此处所描述的具体实施例仅用以解释本申请,并不用于限定本申请。基于本申请中的实施例,本领域普通技术人员在没有做出创造性劳动前提下所获得的所有其他实施例,都属于本申请保护的范围。In order to make the purpose, technical solutions, and advantages of this application clearer, the following further describes this application in detail with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are only used to explain the application, and not used to limit the application. Based on the embodiments in this application, all other embodiments obtained by those of ordinary skill in the art without creative work shall fall within the protection scope of this application.
实施例1Example 1
图1示出了本申请实施例提供的操作系统的监控方法100的示意性流程图。应理解,该方法100可以由操作系统的监控装置执行。FIG. 1 shows a schematic flowchart of a method 100 for monitoring an operating system provided by an embodiment of the present application. It should be understood that the method 100 may be executed by a monitoring device of an operating system.
可选地,该监控装置可以为计算机,或者可以为计算机中的功能模块,本申请实施例对此不作限定。Optionally, the monitoring device may be a computer, or may be a functional module in the computer, which is not limited in the embodiment of the present application.
S110,获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数。S110: Obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and a parameter of the target command.
具体地,该监控装置可以获取预设的时间段内所述用户在所述操作系统上执行的至少一个命令和所述至少一个命令中每个命令的参数,所述至少一个命令包括所述目标命令;从所述监控数据中获取所述目标命令和所述目标命令的参数。Specifically, the monitoring device can acquire at least one command executed by the user on the operating system within a preset time period and the parameter of each command in the at least one command, where the at least one command includes the target Command; Obtain the target command and the parameters of the target command from the monitoring data.
可选地,该目标命令可以该至少一个命令中的任一命令。Optionally, the target command can be any one of the at least one command.
例如:在该预设的时间段内,该监控装置获取用户执行的命令列表,如表一所示,该命令列表包括用户执行的所有命令以及每个命令的参数。该监控装置可以依次将该命令列表中的每一个命令作为目标命令。For example, within the preset time period, the monitoring device obtains a list of commands executed by the user. As shown in Table 1, the list of commands includes all the commands executed by the user and the parameters of each command. The monitoring device can sequentially use each command in the command list as a target command.
命令command 参数parameter
cdcd /home/wls81/home/wls81
lsls /home/wls81/home/wls81
lsls -trlah-trlah
vivi my.cnfmy.cnf
serviceservice mysqld restartmysqld restart
……... ……...
表一Table I
S120,根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型。S120. Determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used for indicating the target command, and the parameter indication information is used for Indicates the parameter type of the parameter.
在一种可能的实现方式中,该监控装置可以根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;根据所述参数类型,确定所述参数指示信息。(监控数据中包括至少一种参数的情况)In a possible implementation manner, the monitoring device may determine the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, and the parameter type includes a high-frequency parameter or a low-frequency parameter; The parameter type determines the parameter indication information. (When at least one parameter is included in the monitoring data)
例如:/home/wls81出现1100次,mysql.cnf出现1200次,mysqld restart出现1233次,-trlah出现82次。For example: /home/wls81 appears 1100 times, mysql.cnf appears 1200 times, mysqld restart appears 1233 times, and -trlah appears 82 times.
由此可知,出现次数排前两个的依次为mysqld restart和mysql.cnf,即为高频参数;出现次数在前两个之后的为/home/wls81和-trlah,即为低频参数。It can be seen that the first two occurrences are mysqld restart and mysql.cnf, which are high-frequency parameters; the ones that appear after the first two are /home/wls81 and -trlah, which are low-frequency parameters.
可选地,当所述参数在所述监控数据中出现的次数大于或等于预设次数时,该监控装置确定所述参数为高频参数;或当所述参数在所述监控数据中出现的次数小于所述预设次数时,该监控装置确定所述参数为低频参数。Optionally, when the number of times the parameter appears in the monitoring data is greater than or equal to a preset number of times, the monitoring device determines that the parameter is a high-frequency parameter; or when the parameter appears in the monitoring data When the number of times is less than the preset number of times, the monitoring device determines that the parameter is a low-frequency parameter.
例如:mysqld restart出现1233次,mysql.cnf出现1200次,/home/wls81出现1100次,-trlah出现82次,预设次数为1200次。For example: mysqld restart appears 1233 times, mysql.cnf appears 1200 times, /home/wls81 appears 1100 times, -trlah appears 82 times, and the preset number is 1200 times.
由此可知,mysqld restart和mysql.cnf出现的次数均大于或等于预设次数1200次,即为高频参数;/home/wls81和-trlah出现的次数均小于预设次数1200次,即为低频参数。It can be seen that the number of occurrences of mysqld restart and mysql.cnf is greater than or equal to the preset number of 1200, which is the high frequency parameter; the frequency of /home/wls81 and -trlah is less than the preset number of 1200, which is the low frequency parameter.
在另一种可能的实现方式中,该监控装置可以根据所述参数的重要性,确定所述参数的参数类型,所述参数类型包括关键参数或非关键参数;根据所述参数类型,确定所述参数指示信息。In another possible implementation manner, the monitoring device may determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter; and determine the parameter type according to the parameter type. The parameter indication information.
例如:mysql.cnf和mysqld restart的重要级别均为重要,/home/wls81和-trlah的重要级别为不重要。For example, the importance levels of mysql.cnf and mysqld restart are both important, and the importance levels of /home/wls81 and -trlah are not important.
由此可知,mysql.cnf和mysqld restart为关键参数,/home/wls81和-trlah为非关键参数。It can be seen that mysql.cnf and mysqld restart are key parameters, and /home/wls81 and -trlah are non-key parameters.
可选地,当所述参数的重要级别大于或等于预设级别时,该监控装置确定所述参数为关键参数;或当所述参数的重要级别小于所述预设级别时,该监控装置确定所述参数为非关键参数。Optionally, when the importance level of the parameter is greater than or equal to the preset level, the monitoring device determines that the parameter is a key parameter; or when the importance level of the parameter is less than the preset level, the monitoring device determines The parameters are non-critical parameters.
例如:mysqld restart的重要级别为4,mysql.cnf的重要级别为3,/home/wls81的重要级别为1,-trlah的重要级别为0,预设级别为2。For example, the importance level of mysqld restart is 4, the importance level of mysql.cnf is 3, the importance level of /home/wls81 is 1, the importance level of -trlah is 0, and the default level is 2.
由此可知,mysqld restart和mysql.cnf的重要级别均大于或等于预设级别2,即为关键参数;/home/wls81和-trlah的重要级别均小于预设级别2,即为非关键参数。It can be seen that the importance levels of mysqld restart and mysql.cnf are both greater than or equal to the preset level 2, which is a key parameter; the importance levels of /home/wls81 and -trlah are both less than the preset level 2, which is a non-critical parameter.
可选地,根据所述参数类型,确定所述参数指示信息,可以为:当所述参数为高频参数或关键参数时,该监控装置确定所述参数指示信息为所述参数的标识;或当所述参数为低频参数或非关键参数时,该监控装置确定所述参数指示信息为第一标识,所述第一标识用于标识所有的低频参数或非关键参数。Optionally, determining the parameter indication information according to the parameter type may be: when the parameter is a high-frequency parameter or a key parameter, the monitoring device determines that the parameter indication information is an identifier of the parameter; or When the parameter is a low-frequency parameter or a non-critical parameter, the monitoring device determines that the parameter indication information is a first identifier, and the first identifier is used to identify all low-frequency parameters or non-critical parameters.
例如,mysql.cnf和mysqld restart为高频参数/关键参数,/home/wls81和-trlah为低频参数/非关键参数,其中,mysqld restart的标识为1、mysql.cnf的标识为2,第一标识为0,且第一标识用于标识低频参数/非关键参数。For example, mysql.cnf and mysqld restart are high-frequency parameters/key parameters, and /home/wls81 and -trlah are low-frequency parameters/non-key parameters. Among them, the identifier of mysqld restart is 1, the identifier of mysql.cnf is 2, and the first The identifier is 0, and the first identifier is used to identify low-frequency parameters/non-critical parameters.
由此可知,mysqld restart的参数指示信息为1,mysql.cnf的参数指示信息为2,home/wls81和-trlah的参数指示信息为0。It can be seen that the parameter indication information of mysqld restart is 1, the parameter indication information of mysql.cnf is 2, and the parameter indication information of home/wls81 and -trlah is 0.
可选地,命令向量中的命令指示信息为所述目标命令的标识。Optionally, the command indication information in the command vector is the identifier of the target command.
例如:cd的标识1,ls的标识为2,vi的标识为3,service的标识为4。For example, the identifier of cd is 1, the identifier of ls is 2, the identifier of vi is 3, and the identifier of service is 4.
由此可知,cd的命令指示信息为1,ls的命令指示信息为2,vi的命令指示信息为3,service的命令指示信息为4。It can be seen that the command indication information of cd is 1, the command indication information of ls is 2, the command indication information of vi is 3, and the command indication information of service is 4.
综上所述,上述命令列表中的每一行可以得到一个与之对应的向量,如表二所示。In summary, each row in the above command list can get a corresponding vector, as shown in Table 2.
命令command 参数parameter 向量vector
cdcd /home/wls81/home/wls81 <1,0><1,0>
lsls /home/wls81/home/wls81 <2,0><2,0>
lsls -trlah-trlah <2,0><2,0>
vivi my.cnfmy.cnf <3,2><3,2>
serviceservice mysqld restartmysqld restart <4,1><4,1>
……... ……... ……...
表二Table II
S130,根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。S130. Determine the risk level of the target command according to the command vector and the risk analysis model, where the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes danger Operation or non-hazardous operation.
可选地,所述方法还包括:输出风险级别指示信息,所述风险级别指示信息用于指示所述目标命令的风险级别。Optionally, the method further includes: outputting risk level indication information, where the risk level indication information is used to indicate the risk level of the target command.
例如,危险操作输出1,非危险操作输出0。For example, output 1 for dangerous operations and 0 for non-hazardous operations.
可选地,危险操作可以包括禁止操作或高危操作,非危险操作可以包括普通操作和低危操作。Optionally, dangerous operations may include prohibited operations or high-risk operations, and non-dangerous operations may include normal operations and low-risk operations.
例如,普通操作:读文件;低危操作:写文件;高危操作:关机;禁止操作:删除服务器上的操作系统文件。For example, common operations: read files; low-risk operations: write files; high-risk operations: shutdown; prohibited operations: delete operating system files on the server.
又例如,普通操作输出0,低危操作输出1,高危操作输出2,禁止操作输出3。For another example, normal operation output 0, low-risk operation output 1, high-risk operation output 2, and prohibited operation output 3.
可选地,所述方法还包括:当所述目标命令为危险操作时,向工作人员发送告警通知。Optionally, the method further includes: when the target command is a dangerous operation, sending an alarm notification to the staff.
例如,当所述目标命令为高危操作时,通过邮件或短信的方式向工作人员发送告警通知;当所述目标命令为禁止操作时,通过电话向工作人员发送告警通知或禁止执行所述目标命令。For example, when the target command is a high-risk operation, an alarm notification is sent to the staff by email or text message; when the target command is a prohibited operation, an alarm notification is sent to the staff by phone or the execution of the target command is prohibited .
采用本申请提供的操作系统的监控方法,及时通知工作人员,能够有效避免系统安全受到威胁。Using the operating system monitoring method provided in this application to notify the staff in time can effectively avoid threats to system security.
可选地,在S130之前,所述方法还包括,训练该风险分析模型。Optionally, before S130, the method further includes training the risk analysis model.
具体地,获取用户在所述操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别;将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到所述风险分析模型。Specifically, the command vector of each command and the risk level of each command among the multiple commands executed by the user on the operating system are acquired; the command vector of each command and the risk of each command The level is input into the LSTM network, and the risk analysis model is obtained by training.
需要说明的是,该风险分析模型针对多个命令中每个命令的命令向量以及所述每个命令的风险级别,通过LSTM模型算法训练一个最优模型,这个模型属于某个函数的集合,最优表示在某个评价的准则下可以根据输入得到最接近实际结果的输出,使得可以通过该风险分析模型将输入的命令的命令向量映射为相应输出的命令的风险级别。It should be noted that the risk analysis model trains an optimal model through the LSTM model algorithm for the command vector of each command in a plurality of commands and the risk level of each command. This model belongs to a set of functions. Excellent means that the output closest to the actual result can be obtained according to the input under a certain evaluation criterion, so that the command vector of the input command can be mapped to the risk level of the corresponding output command through the risk analysis model.
可选地,该风险分析模型可以基于一种或者编码-解码模型框架,例如可以基于LSTM模型、或者可以基于卷积神经网络(convolutional neural networks,CNN)、循环神经网络(recurrent neural networks,RNN)、双向循环神经网络(Bidirectional recurrent neural networks,BiRNN)、门控循环神经元(gated recurrent units,GRU)模型等,本发明实施例不限于此。Optionally, the risk analysis model may be based on one or coding-decoding model framework, for example, it may be based on the LSTM model, or may be based on convolutional neural networks (convolutional neural networks, CNN), recurrent neural networks (recurrent neural networks, RNN) , Bidirectional recurrent neural networks (BiRNN), gated recurrent units (GRU) models, etc. The embodiments of the present invention are not limited thereto.
应理解,LSTM(Long Short-Term Memory)是长短期记忆网络,是一种时间递归神经网络,适合于处理和预测时间序列中间隔和延迟相对较长的重要事件。LSTM在算法中加入了一个判断信息有用与否的“处理器”,这个处理器作用的结构被称为cell。一个cell当中被放置了三扇门,分别叫做输入门、遗忘门和输出门。一个信息进入LSTM的网络当中,可以根据规则来判断是否有用。只有符合算法认证的信息才会留下,不符的信息则通过遗忘门被遗忘。LSTM模型采用一进二出的工作原理,可以在反复运算下解决神经网络中长 期存在的大问题。It should be understood that LSTM (Long Short-Term Memory) is a long and short-term memory network, a time recurrent neural network, suitable for processing and predicting important events with relatively long intervals and delays in a time series. LSTM adds a "processor" to the algorithm to determine whether the information is useful or not. The structure of this processor is called a cell. Three doors are placed in a cell, which are called input gate, forget gate and output gate. When a piece of information enters the LSTM network, it can be judged whether it is useful according to the rules. Only the information that meets the algorithm authentication will be left, and the non-compliant information will be forgotten through the forget door. The LSTM model adopts the working principle of one input and two output, which can solve the long-term large problems in the neural network under repeated calculations.
实施例2Example 2
图2示出了本申请实施例提供的操作系统的监控方法200的示意性流程图。应理解,该方法200可以由操作系统的监控装置执行。FIG. 2 shows a schematic flowchart of a method 200 for monitoring an operating system provided by an embodiment of the present application. It should be understood that the method 200 may be executed by a monitoring device of an operating system.
S210,获取用户在操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别,所述每个命令的命令向量包括第一命令指示信息和第一参数指示信息,所述第一命令指示信息用于指示所述每个命令,所述第一参数指示信息用于指示所述每个命令的参数的参数类型,所述风险级别包括危险操作或非危险操作。S210. Acquire a command vector of each command and a risk level of each command among multiple commands executed by the user on the operating system, where the command vector of each command includes first command indication information and first parameter indication information The first command indication information is used to indicate each command, the first parameter indication information is used to indicate a parameter type of a parameter of each command, and the risk level includes a dangerous operation or a non-dangerous operation.
S220,将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到风险分析模型。S220: Input the command vector of each command and the risk level of each command into the LSTM network, and train a risk analysis model.
需要说明的是,该风险分析模型针对多个命令中每个命令的命令向量以及所述每个命令的风险级别,通过LSTM模型算法训练一个最优模型,这个模型属于某个函数的集合,最优表示在某个评价的准则下可以根据输入得到最接近实际结果的输出,使得可以通过该风险分析模型将输入的命令的命令向量映射为相应输出的命令的风险级别。It should be noted that the risk analysis model trains an optimal model through the LSTM model algorithm for the command vector of each command in a plurality of commands and the risk level of each command. This model belongs to a set of functions. Excellent means that the output closest to the actual result can be obtained according to the input under a certain evaluation criterion, so that the command vector of the input command can be mapped to the risk level of the corresponding output command through the risk analysis model.
S230,获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数。S230: Obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and a parameter of the target command.
S240,根据所述监控数据,确定所述目标命令的命令向量,所述目标命令的命令向量包括第二命令指示信息和第二参数指示信息,所述第二命令指示信息用于指示所述目标命令,所述第二参数指示信息用于指示所述参数的参数类型。S240. Determine a command vector of the target command according to the monitoring data, where the command vector of the target command includes second command indication information and second parameter indication information, and the second command indication information is used to indicate the target Command, the second parameter indication information is used to indicate the parameter type of the parameter.
S250,根据所述目标命令的命令向量和所述风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系。S250: Determine the risk level of the target command according to the command vector of the target command and the risk analysis model, where the risk analysis model is used to indicate the mapping relationship between the command vector and the risk level.
可选地,所述方法还包括:输出风险级别指示信息,所述风险级别指示信息用于指示所述目标命令的风险级别。Optionally, the method further includes: outputting risk level indication information, where the risk level indication information is used to indicate the risk level of the target command.
可选地,所述方法还包括:当所述目标命令为危险操作时,向工作人员发送告警通知。Optionally, the method further includes: when the target command is a dangerous operation, sending an alarm notification to the staff.
上面结合图1和图2介绍了本申请实施例提供的操作系统的监控方法,下面将结合图3和图4介绍本申请实施例提供的操作系统的监控装置。The operating system monitoring method provided by the embodiment of the present application is described above with reference to FIG. 1 and FIG. 2, and the operating system monitoring device provided by the embodiment of the present application will be described below with reference to FIG. 3 and FIG. 4.
实施例3Example 3
图3示出了本申请实施例提供的操作系统的监控装置300的示意性框图。该装置300包括:FIG. 3 shows a schematic block diagram of an operating system monitoring device 300 provided in an embodiment of the present application. The device 300 includes:
获取单元310,用于获取用户的监控数据,所述监控数据包括所述用户在所述操作系统 上执行的目标命令和所述目标命令的参数;The obtaining unit 310 is configured to obtain monitoring data of a user, where the monitoring data includes a target command executed by the user on the operating system and parameters of the target command;
确定单元320,用于根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The determining unit 320 is configured to determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used to indicate the target command, the parameter The indication information is used to indicate the parameter type of the parameter; the risk level of the target command is determined according to the command vector and the risk analysis model, and the risk analysis model is used to indicate the difference between the command vector and the risk level The risk level includes hazardous operations or non-hazardous operations.
可选地,所述确定单元具体用于根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;根据所述参数类型,确定所述参数指示信息。Optionally, the determining unit is specifically configured to determine the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data, and the parameter type includes a high-frequency parameter or a low-frequency parameter; according to the parameter Type to determine the parameter indication information.
可选地,所述确定单元具体用于当所述参数在所述监控数据中出现的次数大于或等于预设次数时,确定所述参数为高频参数;或当所述参数在所述监控数据中出现的次数小于所述预设次数时,确定所述参数为低频参数。Optionally, the determining unit is specifically configured to determine that the parameter is a high-frequency parameter when the number of times the parameter appears in the monitoring data is greater than or equal to a preset number; or when the parameter is in the monitoring data When the number of occurrences in the data is less than the preset number of times, it is determined that the parameter is a low frequency parameter.
可选地,所述确定单元具体用于当所述参数为高频参数时,确定所述参数指示信息为所述参数的标识;或当所述参数为低频参数时,确定所述参数指示信息为第一标识,所述第一标识用于标识所有的低频参数。Optionally, the determining unit is specifically configured to determine that the parameter indication information is an identifier of the parameter when the parameter is a high-frequency parameter; or determine the parameter indication information when the parameter is a low-frequency parameter It is a first identifier, and the first identifier is used to identify all low-frequency parameters.
可选地,所述确定单元具体用于根据所述参数的重要性,确定所述参数的参数类型,所述参数类型包括关键参数或非关键参数;根据所述参数类型,确定所述参数指示信息。Optionally, the determining unit is specifically configured to determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter; and determine the parameter indication according to the parameter type information.
可选地,所述确定单元具体用于当所述参数的重要级别大于或等于预设级别时,确定所述参数为关键参数;或当所述参数的重要级别小于所述预设级别时,确定所述参数为非关键参数。Optionally, the determining unit is specifically configured to determine that the parameter is a key parameter when the importance level of the parameter is greater than or equal to a preset level; or when the importance level of the parameter is less than the preset level, Determine that the parameters are non-critical parameters.
可选地,所述确定单元具体用于当所述参数为关键参数时,确定所述参数指示信息为所述参数的标识;或当所述参数为非关键参数时,确定所述参数指示信息为第一标识,所述第一标识用于标识所有的非关键参数。Optionally, the determining unit is specifically configured to determine that the parameter indication information is the identifier of the parameter when the parameter is a key parameter; or determine the parameter indication information when the parameter is a non-critical parameter It is a first identifier, and the first identifier is used to identify all non-critical parameters.
可选地,所述装置还包括训练单元,所述获取单元还用于在根据所述命令向量和风险分析模型,确定所述目标命令的风险级别之前,获取用户在所述操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别;所述训练单元用于将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到所述风险分析模型。Optionally, the device further includes a training unit, and the acquiring unit is further configured to acquire the information executed by the user on the operating system before determining the risk level of the target command according to the command vector and the risk analysis model. The command vector of each command in the plurality of commands and the risk level of each command; the training unit is used to input the command vector of each command and the risk level of each command into the LSTM network, The risk analysis model is obtained through training.
实施例4Example 4
图4示出了本申请实施例提供的操作系统的计算机设备的硬件架构示意性框图,该计算机设备可以是装置400。该计算机设备可以包括处理器410、通信接口420和存储器430,该处理器410、通信接口420和存储器430通过内部连接通路互相通信。图3中的确定单 元320所实现的相关功能可以由处理器410来实现,图3中的获取单元310所实现的相关功能可以由处理器410控制通信接口420来实现。FIG. 4 shows a schematic block diagram of a hardware architecture of a computer device of an operating system provided in an embodiment of the present application. The computer device may be an apparatus 400. The computer device may include a processor 410, a communication interface 420, and a memory 430, and the processor 410, the communication interface 420, and the memory 430 communicate with each other through an internal connection path. The related functions implemented by the determining unit 320 in FIG. 3 may be implemented by the processor 410, and the related functions implemented by the acquiring unit 310 in FIG. 3 may be implemented by the processor 410 controlling the communication interface 420.
该处理器410可以包括是一个或多个处理器,例如包括一个或多个中央处理单元(central processing unit,CPU),在处理器是一个CPU的情况下,该CPU可以是单核CPU,也可以是多核CPU。The processor 410 may include one or more processors, for example, one or more central processing units (CPU). In the case where the processor is a CPU, the CPU may be a single-core CPU or It can be a multi-core CPU.
该通信接口420用于输入和/或输出数据。该通信接口可以包括发送接口和接收接口,发送接口用于输出数据,接收接口用于输入数据。The communication interface 420 is used to input and/or output data. The communication interface may include a sending interface and a receiving interface, the sending interface is used for outputting data, and the receiving interface is used for inputting data.
该存储器430包括但不限于是随机存取存储器(random access memory,RAM)、只读存储器(read-only memory,ROM)、可擦除可编程存储器(erasable programmable read only memory,EPROM)、只读光盘(compact disc read-only memory,CD-ROM),该存储器430用于存储相关指令及数据。The memory 430 includes, but is not limited to, random access memory (RAM), read-only memory (ROM), erasable programmable memory (erasable read only memory, EPROM), and read-only memory. A compact disc (read-only memory, CD-ROM), and the memory 430 is used to store related instructions and data.
存储器430用于存储该装置的程序代码和数据,可以为单独的器件或集成在处理器410中。The memory 430 is used to store program codes and data of the device, and may be a separate device or integrated in the processor 410.
具体地,所述处理器410用于控制通信接口420调用存储器430中存储的代码指令并执行该代码指令。具体可参见方法实施例中的描述,在此不再赘述。Specifically, the processor 410 is configured to control the communication interface 420 to call the code instructions stored in the memory 430 and execute the code instructions. For details, please refer to the description in the method embodiment, which will not be repeated here.
可以理解的是,图4仅仅示出了计算机设备的简化设计。在实际应用中,该计算机设备还可以分别包含必要的其他元件,包含但不限于任意数量的通信接口、处理器、控制器、存储器等,而所有可以实现本申请的装置都在本申请的保护范围之内。It can be understood that FIG. 4 only shows a simplified design of the computer device. In practical applications, the computer equipment may also contain other necessary components, including but not limited to any number of communication interfaces, processors, controllers, memories, etc., and all devices that can implement the application are protected by this application. Within range.
在一种可能的设计中,该计算机设备可以被替换为芯片装置,例如可以为可用于该装置中的芯片,用于实现该装置中处理器410的相关功能。该芯片装置可以为实现相关功能的现场可编程门阵列,专用集成芯片,系统芯片,中央处理器,网络处理器,数字信号处理电路,微控制器,还可以采用可编程控制器或其他集成芯片。该芯片中,可选的可以包括一个或多个存储器,用于存储程序代码,当所述代码被执行时,使得处理器实现相应的功能。In a possible design, the computer device may be replaced with a chip device, for example, a chip that can be used in the device to implement related functions of the processor 410 in the device. The chip device can be a field programmable gate array, a dedicated integrated chip, a system chip, a central processing unit, a network processor, a digital signal processing circuit, a microcontroller, and a programmable controller or other integrated chips for realizing related functions. . The chip may optionally include one or more memories for storing program codes. When the codes are executed, the processor realizes corresponding functions.
本领域普通技术人员可以意识到,结合本文中所公开的实施例描述的各示例的单元及算法步骤,能够以电子硬件、或者计算机软件和电子硬件的结合来实现。这些功能究竟以硬件还是软件方式来执行,取决于技术方案的特定应用和设计约束条件。专业技术人员可以对每个特定的应用来使用不同方法来实现所描述的功能,但是这种实现不应认为超出本申请的范围。A person of ordinary skill in the art may be aware that the units and algorithm steps of the examples described in combination with the embodiments disclosed herein can be implemented by electronic hardware or a combination of computer software and electronic hardware. Whether these functions are executed by hardware or software depends on the specific application and design constraint conditions of the technical solution. Professionals and technicians can use different methods for each specific application to implement the described functions, but such implementation should not be considered beyond the scope of this application.
所属领域的技术人员可以清楚地了解到,为描述的方便和简洁,上述描述的系统、装置和单元的具体工作过程,可以参考前述方法实施例中的对应过程,在此不再赘述。Those skilled in the art can clearly understand that, for the convenience and conciseness of description, the specific working process of the above-described system, device, and unit can refer to the corresponding process in the foregoing method embodiment, which will not be repeated here.
在本申请所提供的几个实施例中,应该理解到,所揭露的系统、装置和方法,可以通过其它的方式实现。例如,以上所描述的装置实施例仅仅是示意性的,例如,所述单元的划分,仅仅为一种逻辑功能划分,实际实现时可以有另外的划分方式,例如多个单元或组件可以结合或者可以集成到另一个系统,或一些特征可以忽略,或不执行。另一点,所显示或讨论的相互之间的耦合或直接耦合或通信连接可以是通过一些接口,装置或单元的间接耦合或通信连接,可以是电性,机械或其它的形式。In the several embodiments provided in this application, it should be understood that the disclosed system, device, and method may be implemented in other ways. For example, the device embodiments described above are only illustrative. For example, the division of the units is only a logical function division, and there may be other divisions in actual implementation, for example, multiple units or components can be combined or It can be integrated into another system, or some features can be ignored or not implemented. In addition, the displayed or discussed mutual coupling or direct coupling or communication connection may be indirect coupling or communication connection through some interfaces, devices or units, and may be in electrical, mechanical or other forms.
所述作为分离部件说明的单元可以是或者也可以不是物理上分开的,作为单元显示的部件可以是或者也可以不是物理单元,即可以位于一个地方,或者也可以分布到多个网络单元上。可以根据实际的需要选择其中的部分或者全部单元来实现本实施例方案的目的。The units described as separate components may or may not be physically separated, and the components displayed as units may or may not be physical units, that is, they may be located in one place, or they may be distributed on multiple network units. Some or all of the units may be selected according to actual needs to achieve the objectives of the solutions of the embodiments.
另外,在本申请各个实施例中的各功能单元可以集成在一个处理单元中,也可以是各个单元单独物理存在,也可以两个或两个以上单元集成在一个单元中。In addition, the functional units in each embodiment of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units may be integrated into one unit.
所述功能如果以软件功能单元的形式实现并作为独立的产品销售或使用时,可以存储在一个计算机可读取存储介质中。基于这样的理解,本申请的技术方案本质上或者说对现有技术做出贡献的部分或者该技术方案的部分可以以软件产品的形式体现出来,该计算机软件产品存储在一个计算机可读存储介质中,所述计算机可读存储介质包括易失性计算机可读存储介质和非易矢性计算机可读存储介质,包括若干指令用以使得一台计算机设备(可以是个人计算机,服务器,或者网络设备等)执行本申请各个实施例所述方法的全部或部分步骤。而前述的存储介质包括:U盘、移动硬盘、ROM、RAM、磁碟或者光盘等各种可以存储程序代码的介质。If the function is implemented in the form of a software functional unit and sold or used as an independent product, it can be stored in a computer readable storage medium. Based on this understanding, the technical solution of this application essentially or the part that contributes to the existing technology or the part of the technical solution can be embodied in the form of a software product, and the computer software product is stored in a computer-readable storage medium. Wherein, the computer-readable storage medium includes a volatile computer-readable storage medium and a non-transitory computer-readable storage medium, and includes a number of instructions to enable a computer device (which may be a personal computer, a server, or a network device) Etc.) Perform all or part of the steps of the method described in each embodiment of the present application. The aforementioned storage media include: U disk, mobile hard disk, ROM, RAM, magnetic disk or optical disk and other media that can store program codes.
以上所述,仅为本申请的具体实施方式,但本申请的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本申请揭露的技术范围内,可轻易想到变化或替换,都应涵盖在本申请的保护范围之内。因此,本申请的保护范围应以所述权利要求的保护范围为准。The above are only specific implementations of this application, but the protection scope of this application is not limited to this. Any person skilled in the art can easily think of changes or substitutions within the technical scope disclosed in this application. Should be covered within the scope of protection of this application. Therefore, the protection scope of this application should be subject to the protection scope of the claims.

Claims (20)

  1. 一种操作系统的监控方法,其特征在于,包括:A method for monitoring an operating system, characterized in that it includes:
    获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
    根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
    根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  2. 根据权利要求1所述的方法,其特征在于,根据所述监控数据,确定命令向量,包括:The method according to claim 1, wherein determining a command vector according to the monitoring data comprises:
    根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;Determining the parameter type of the parameter according to the total number of occurrences of the parameter in the monitoring data, the parameter type including a high-frequency parameter or a low-frequency parameter;
    根据所述参数类型,确定所述参数指示信息。Determine the parameter indication information according to the parameter type.
  3. 根据权利要求2所述的方法,其特征在于,根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,包括:The method according to claim 2, wherein determining the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data comprises:
    当所述参数在所述监控数据中出现的次数大于或等于预设次数时,确定所述参数为高频参数;或When the number of occurrences of the parameter in the monitoring data is greater than or equal to the preset number of times, determining that the parameter is a high-frequency parameter; or
    当所述参数在所述监控数据中出现的次数小于所述预设次数时,确定所述参数为低频参数。When the number of occurrences of the parameter in the monitoring data is less than the preset number of times, it is determined that the parameter is a low-frequency parameter.
  4. 根据权利要求3所述的方法,其特征在于,根据所述参数类型,确定所述参数指示信息,包括:The method according to claim 3, wherein determining the parameter indication information according to the parameter type comprises:
    当所述参数为高频参数时,确定所述参数指示信息为所述参数的标识;或When the parameter is a high-frequency parameter, determine that the parameter indication information is an identifier of the parameter; or
    当所述参数为低频参数时,确定所述参数指示信息为第一标识,所述第一标识用于标识所有的低频参数。When the parameter is a low-frequency parameter, it is determined that the parameter indication information is a first identifier, and the first identifier is used to identify all low-frequency parameters.
  5. 根据权利要求1所述的方法,其特征在于,根据所述监控数据,确定命令向量,包括:The method according to claim 1, wherein determining a command vector according to the monitoring data comprises:
    根据所述参数的重要性,确定所述参数的参数类型,所述参数类型包括关键参数或非关键参数;Determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter;
    根据所述参数类型,确定所述参数指示信息。Determine the parameter indication information according to the parameter type.
  6. 根据权利要求5所述的方法,其特征在于,根据所述参数的重要性,确定所述参数的参数类型,包括:The method according to claim 5, wherein determining the parameter type of the parameter according to the importance of the parameter comprises:
    当所述参数的重要级别大于或等于预设级别时,确定所述参数为关键参数;或When the importance level of the parameter is greater than or equal to the preset level, determine that the parameter is a key parameter; or
    当所述参数的重要级别小于所述预设级别时,确定所述参数为非关键参数。When the importance level of the parameter is less than the preset level, it is determined that the parameter is a non-critical parameter.
  7. 根据权利要求1至6中任一项所述的方法,其特征在于,在根据所述命令向量和风险分析模型,确定所述目标命令的风险级别之前,所述方法还包括:The method according to any one of claims 1 to 6, characterized in that, before determining the risk level of the target command according to the command vector and the risk analysis model, the method further comprises:
    获取用户在所述操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别;Acquiring the command vector of each command in the multiple commands executed by the user on the operating system and the risk level of each command;
    将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到所述风险分析模型。The command vector of each command and the risk level of each command are input into the LSTM network, and the risk analysis model is obtained by training.
  8. 一种操作系统的监控装置,其特征在于,包括:An operating system monitoring device, characterized in that it comprises:
    获取单元,用于获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;An obtaining unit, configured to obtain monitoring data of a user, the monitoring data including a target command executed by the user on the operating system and parameters of the target command;
    确定单元,用于根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The determining unit is configured to determine a command vector of the target command according to the monitoring data, the command vector including command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication Information is used to indicate the parameter type of the parameter; the risk level of the target command is determined according to the command vector and the risk analysis model, and the risk analysis model is used to indicate the difference between the command vector and the risk level A mapping relationship, where the risk level includes dangerous operations or non-dangerous operations.
  9. 一种计算机设备,包括存储器、处理器、通信接口以及存储在所述存储器上并可在所述处理器上运行的计算机程序,其中,所述存储器、所述处理器以及所述通信接口之间通过内部连接通路互相通信,其特征在于,所述处理器执行所述计算机程序以实现如下步骤:A computer device, including a memory, a processor, a communication interface, and a computer program stored on the memory and running on the processor, wherein the memory, the processor, and the communication interface are Communicating with each other through internal connection paths, characterized in that the processor executes the computer program to implement the following steps:
    获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
    根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
    根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  10. 根据权利要求9所述的计算机设备,其特征在于:根据所述监控数据,确定命令向量,包括:The computer device according to claim 9, characterized in that: determining a command vector according to the monitoring data comprises:
    根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;Determining the parameter type of the parameter according to the total number of occurrences of the parameter in the monitoring data, the parameter type including a high-frequency parameter or a low-frequency parameter;
    根据所述参数类型,确定所述参数指示信息;Determine the parameter indication information according to the parameter type;
    优选地,根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,包括:Preferably, determining the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data includes:
    当所述参数在所述监控数据中出现的次数大于或等于预设次数时,确定所述参数为高频参数;或When the number of occurrences of the parameter in the monitoring data is greater than or equal to the preset number of times, determining that the parameter is a high-frequency parameter; or
    当所述参数在所述监控数据中出现的次数小于所述预设次数时,确定所述参数为低频参数。When the number of occurrences of the parameter in the monitoring data is less than the preset number of times, it is determined that the parameter is a low-frequency parameter.
  11. 根据权利要求10所述的计算机设备,其特征在于:根据所述参数类型,确定所述参数指示信息,包括:The computer device according to claim 10, wherein: determining the parameter indication information according to the parameter type comprises:
    当所述参数为高频参数时,确定所述参数指示信息为所述参数的标识;或When the parameter is a high-frequency parameter, determine that the parameter indication information is an identifier of the parameter; or
    当所述参数为低频参数时,确定所述参数指示信息为第一标识,所述第一标识用于标识所有的低频参数。When the parameter is a low-frequency parameter, it is determined that the parameter indication information is a first identifier, and the first identifier is used to identify all low-frequency parameters.
  12. 根据权利要求9所述的计算机设备,其特征在于,根据所述监控数据,确定命令向量,包括:The computer device according to claim 9, wherein determining a command vector according to the monitoring data comprises:
    根据所述参数的重要性,确定所述参数的参数类型,所述参数类型包括关键参数或非关键参数;Determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter;
    根据所述参数类型,确定所述参数指示信息。Determine the parameter indication information according to the parameter type.
  13. 根据权利要求12所述的计算机设备,其特征在于:根据所述参数的重要性,确定所述参数的参数类型,包括:The computer device according to claim 12, wherein: determining the parameter type of the parameter according to the importance of the parameter comprises:
    当所述参数的重要级别大于或等于预设级别时,确定所述参数为关键参数;或When the importance level of the parameter is greater than or equal to the preset level, determine that the parameter is a key parameter; or
    当所述参数的重要级别小于所述预设级别时,确定所述参数为非关键参数。When the importance level of the parameter is less than the preset level, it is determined that the parameter is a non-critical parameter.
  14. 根据权利要求9至13中任一项所述的计算机设备,其特征在于,在根据所述命令向量和风险分析模型,确定所述目标命令的风险级别之前,所述方法还包括:The computer device according to any one of claims 9 to 13, wherein before determining the risk level of the target command according to the command vector and the risk analysis model, the method further comprises:
    获取用户在所述操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别;Acquiring the command vector of each command in the multiple commands executed by the user on the operating system and the risk level of each command;
    将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到所述风险分析模型。The command vector of each command and the risk level of each command are input into the LSTM network, and the risk analysis model is obtained by training.
  15. 一种计算机可读存储介质,用于存储计算机程序,其特征在于,所述计算机程序被处理器执行以实现如下步骤:A computer-readable storage medium for storing a computer program, wherein the computer program is executed by a processor to implement the following steps:
    获取用户的监控数据,所述监控数据包括所述用户在所述操作系统上执行的目标 命令和所述目标命令的参数;Acquiring monitoring data of the user, the monitoring data including the target command executed by the user on the operating system and the parameters of the target command;
    根据所述监控数据,确定所述目标命令的命令向量,所述命令向量包括命令指示信息和参数指示信息,所述命令指示信息用于指示所述目标命令,所述参数指示信息用于指示所述参数的参数类型;According to the monitoring data, a command vector of the target command is determined, the command vector includes command indication information and parameter indication information, the command indication information is used to indicate the target command, and the parameter indication information is used to indicate all The parameter type of the parameter;
    根据所述命令向量和风险分析模型,确定所述目标命令的风险级别,所述风险分析模型用于表示所述命令向量和所述风险级别之间的映射关系,所述风险级别包括危险操作或非危险操作。The risk level of the target command is determined according to the command vector and the risk analysis model, the risk analysis model is used to represent the mapping relationship between the command vector and the risk level, and the risk level includes dangerous operations or Non-hazardous operation.
  16. 根据权利要求15所述的计算机可读存储介质,其特征在于:根据所述监控数据,确定命令向量,包括:The computer-readable storage medium according to claim 15, wherein: determining a command vector according to the monitoring data comprises:
    根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,所述参数类型包括高频参数或低频参数;Determining the parameter type of the parameter according to the total number of occurrences of the parameter in the monitoring data, the parameter type including a high-frequency parameter or a low-frequency parameter;
    根据所述参数类型,确定所述参数指示信息;Determine the parameter indication information according to the parameter type;
    优选地,根据所述参数在所述监控数据中出现的总次数,确定所述参数的参数类型,包括:Preferably, determining the parameter type of the parameter according to the total number of times the parameter appears in the monitoring data includes:
    当所述参数在所述监控数据中出现的次数大于或等于预设次数时,确定所述参数为高频参数;或When the number of occurrences of the parameter in the monitoring data is greater than or equal to the preset number of times, determining that the parameter is a high-frequency parameter; or
    当所述参数在所述监控数据中出现的次数小于所述预设次数时,确定所述参数为低频参数。When the number of occurrences of the parameter in the monitoring data is less than the preset number of times, it is determined that the parameter is a low-frequency parameter.
  17. 根据权利要求16所述的计算机设备,其特征在于:根据所述参数类型,确定所述参数指示信息,包括:The computer device according to claim 16, wherein: determining the parameter indication information according to the parameter type comprises:
    当所述参数为高频参数时,确定所述参数指示信息为所述参数的标识;或When the parameter is a high-frequency parameter, determine that the parameter indication information is an identifier of the parameter; or
    当所述参数为低频参数时,确定所述参数指示信息为第一标识,所述第一标识用于标识所有的低频参数。When the parameter is a low-frequency parameter, it is determined that the parameter indication information is a first identifier, and the first identifier is used to identify all low-frequency parameters.
  18. 根据权利要求15所述的计算机可读存储介质,其特征在于,根据所述监控数据,确定命令向量,包括:The computer-readable storage medium of claim 15, wherein determining a command vector according to the monitoring data comprises:
    根据所述参数的重要性,确定所述参数的参数类型,所述参数类型包括关键参数或非关键参数;Determine the parameter type of the parameter according to the importance of the parameter, and the parameter type includes a key parameter or a non-critical parameter;
    根据所述参数类型,确定所述参数指示信息。Determine the parameter indication information according to the parameter type.
  19. 根据权利要求18所述的计算机可读存储介质,其特征在于:根据所述参数的重要性,确定所述参数的参数类型,包括:The computer-readable storage medium of claim 18, wherein: determining the parameter type of the parameter according to the importance of the parameter comprises:
    当所述参数的重要级别大于或等于预设级别时,确定所述参数为关键参数;或When the importance level of the parameter is greater than or equal to the preset level, determine that the parameter is a key parameter; or
    当所述参数的重要级别小于所述预设级别时,确定所述参数为非关键参数。When the importance level of the parameter is less than the preset level, it is determined that the parameter is a non-critical parameter.
  20. 根据权利要求15至19中任一项所述的计算机可读存储介质,其特征在于,在根据所述命令向量和风险分析模型,确定所述目标命令的风险级别之前,所述方法还包括:The computer-readable storage medium according to any one of claims 15 to 19, wherein before determining the risk level of the target command according to the command vector and the risk analysis model, the method further comprises:
    获取用户在所述操作系统上执行的多个命令中每个命令的命令向量和所述每个命令的风险级别;Acquiring the command vector of each command in the multiple commands executed by the user on the operating system and the risk level of each command;
    将所述每个命令的命令向量和所述每个命令的风险级别输入到LSTM网络中,训练得到所述风险分析模型。The command vector of each command and the risk level of each command are input into the LSTM network, and the risk analysis model is obtained by training.
PCT/CN2019/103404 2019-04-16 2019-08-29 Monitoring method and apparatus for operating system WO2020211251A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201910301822.6 2019-04-16
CN201910301822.6A CN110175083A (en) 2019-04-16 2019-04-16 The monitoring method and device of operating system

Publications (1)

Publication Number Publication Date
WO2020211251A1 true WO2020211251A1 (en) 2020-10-22

Family

ID=67689451

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2019/103404 WO2020211251A1 (en) 2019-04-16 2019-08-29 Monitoring method and apparatus for operating system

Country Status (2)

Country Link
CN (1) CN110175083A (en)
WO (1) WO2020211251A1 (en)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN110175083A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 The monitoring method and device of operating system
CN111897709B (en) * 2020-07-31 2024-09-06 上海尚往网络科技有限公司 Method, device, electronic equipment and medium for monitoring user
CN116132258B (en) * 2022-12-19 2024-12-27 中国联合网络通信集团有限公司 Method and device for detecting high-risk instruction

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090038010A1 (en) * 2007-07-31 2009-02-05 Microsoft Corporation Monitoring and controlling an automation process
CN103516563A (en) * 2013-10-18 2014-01-15 北京奇虎科技有限公司 Equipment and method for monitoring abnormal or normal command
CN109033813A (en) * 2018-07-09 2018-12-18 携程旅游信息技术(上海)有限公司 The auditing system and method for Linux operation log
CN109344615A (en) * 2018-07-27 2019-02-15 北京奇虎科技有限公司 A method and device for detecting malicious commands
CN109495479A (en) * 2018-11-20 2019-03-19 华青融天(北京)软件股份有限公司 A kind of user's abnormal behaviour recognition methods and device
CN110175083A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 The monitoring method and device of operating system

Family Cites Families (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20160232353A1 (en) * 2015-02-09 2016-08-11 Qualcomm Incorporated Determining Model Protection Level On-Device based on Malware Detection in Similar Devices
CN106992994B (en) * 2017-05-24 2020-07-03 腾讯科技(深圳)有限公司 Automatic monitoring method and system for cloud service
CN108304308A (en) * 2018-02-07 2018-07-20 平安普惠企业管理有限公司 User behavior monitoring method, device, computer equipment and storage medium
CN109492945A (en) * 2018-12-14 2019-03-19 深圳壹账通智能科技有限公司 Business risk identifies monitoring method, device, equipment and storage medium

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20090038010A1 (en) * 2007-07-31 2009-02-05 Microsoft Corporation Monitoring and controlling an automation process
CN103516563A (en) * 2013-10-18 2014-01-15 北京奇虎科技有限公司 Equipment and method for monitoring abnormal or normal command
CN109033813A (en) * 2018-07-09 2018-12-18 携程旅游信息技术(上海)有限公司 The auditing system and method for Linux operation log
CN109344615A (en) * 2018-07-27 2019-02-15 北京奇虎科技有限公司 A method and device for detecting malicious commands
CN109495479A (en) * 2018-11-20 2019-03-19 华青融天(北京)软件股份有限公司 A kind of user's abnormal behaviour recognition methods and device
CN110175083A (en) * 2019-04-16 2019-08-27 平安科技(深圳)有限公司 The monitoring method and device of operating system

Also Published As

Publication number Publication date
CN110175083A (en) 2019-08-27

Similar Documents

Publication Publication Date Title
US11316851B2 (en) Security for network environment using trust scoring based on power consumption of devices within network
US9443082B2 (en) User evaluation
KR102410151B1 (en) Method, apparatus and computer-readable medium for machine learning based observation level measurement using server system log and risk calculation using thereof
WO2020211251A1 (en) Monitoring method and apparatus for operating system
CN115514562B (en) A method and system for early warning of data security
WO2021012509A1 (en) Method, device, and computer storage medium for detecting abnormal account
CN118611948A (en) A multi-cloud data processing control method and system
CN107070940B (en) A method and device for judging malicious login IP addresses from streaming login logs
CN111600842B (en) Internet of Things terminal security control method and system based on trusted threat intelligence
US9843934B1 (en) Systems and methods for detecting public networks
CN113657536B (en) Object classification method and device based on artificial intelligence
CN118484151B (en) Data reading method and system of memory chip
CN114386025A (en) Abnormality detection method, abnormality detection device, electronic apparatus, and storage medium
CN118695249A (en) Wireless communication network information security protection system and method based on edge nodes
CN105825130B (en) A kind of information security early warning method and device
TWI610196B (en) Network attack pattern determination apparatus, determination method, and computer program product thereof
US10972477B1 (en) Systems and methods for performing micro-segmenting
CN118332607B (en) Financial big data analysis system and method based on blockchain
CN116881956B (en) A permission management method and device for multi-cloud resource management
CN113254287A (en) Health state self-checking method, device, equipment and computer readable medium
TWI738277B (en) Monitoring alarm method and its server end
CN115277228A (en) Data access defense method and system in hierarchical network
CN119094227B (en) Dynamic access control method, device, computer equipment, readable storage medium and program product for power platform
US20250238306A1 (en) Interactive data processing system failure management using hidden knowledge from predictive models
US20250238303A1 (en) Interactive data processing system failure management using hidden knowledge from predictive models

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 19924671

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 19924671

Country of ref document: EP

Kind code of ref document: A1