CN103532760B - Analytical equipment, system and method for analyzing the order executed on each host - Google Patents

Abstract

The invention discloses the analytical equipments, system and method for analyzing the order executed on each host, wherein the analytical equipment for analyzing the order executed on each host includes：Intensive data recover is configured as at least collecting each host terminal the current command and affiliated host identification by network transmission；Command analyzer is configured as that the current command that the intensive data recover is collected into is identified, at least identifies aberrant commands and normal command；And alarm device, it is configured as being judged whether to meet alarm conditions according to the recognition result of the command analyzer, if it is satisfied, then sending out respective host has abnormal warning information.Through the invention can be in time to what is inputted on each host in network system, the aberrant commands with certain risk are alerted, and the safety of system is improved.

Description

Analysis device, system and method for analyzing commands executed on host computers

technical field

The invention relates to the field of computer technology, in particular to an analysis device, system and method for analyzing commands executed on each host.

Background technique

With the rapid development of the network, there have been network systems that need to serve a large number of users. These network systems are usually distributed on a large number of servers, such as Linux, Unix, etc., and then system administrators can operate these servers by entering commands, but these administrators may not be very familiar with the services provided on these servers, so these operations Commands may cause the server not to work normally, or even cause serious consequences. In addition, with the increase of servers, some servers may be invaded by hackers, and these hackers may perform some malicious operations to destroy the normal operation of the servers.

Of course, the above situation does not only exist on the server, but may also exist on other similar host devices. Therefore, how to monitor the commands executed on host devices such as servers, and how to give an alarm in time when an exception occurs is an urgent problem to be solved at present.

Contents of the invention

In view of the above problems, the present invention is proposed in order to provide an analysis device and system for analyzing commands executed on each host computer and a corresponding analysis device and system for analyzing commands executed on each host computer, which overcome the above problems or at least partly solve the above problems. The parse method for the command.

The embodiment of the present invention discloses an analysis device for analyzing commands executed on each host, including: a centralized data collector configured to at least collect the current commands transmitted by each host terminal through the network and the identifier of the host to which it belongs; command analysis A device configured to identify the current commands collected by the centralized data collector, at least identifying abnormal commands and normal commands; an alarm device configured to determine whether an alarm condition is met according to the identification result of the command analyzer, If it is satisfied, an alarm message indicating that the corresponding host is abnormal is issued.

Optionally, the command analyzer includes a filtering module configured to filter the current commands collected by the centralized data collector using preset suspicious rules, and identify the current commands hit by the suspicious rules as abnormal command, and output the alarm weight of the abnormal command hit by the suspicious rule, the alarm weight is obtained based on the overall hit rate of the suspicious rule to the command; the alarm is specifically configured to be based on the abnormal command The warning weight determines whether the warning condition is met.

Optionally, the alarm weight of the abnormal command output by the filtering module is obtained in the following manner: by using the overall hit rate of the suspicious rule on existing commands as an independent variable, the monotonically decreasing function obtained by the suspicious rule The warning weight of the abnormal command hit.

Optionally, the alarm device is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and comprehensively process the alarm weights corresponding to these abnormal commands, It is judged whether the preset alarm condition is satisfied according to the value after comprehensive processing.

Optionally, the command analyzer includes: a classification module, configured to classify the current command received by the centralized data collector according to the training sample set of the existing classification model, and obtain whether the current command is a normal command probability and the probability of the abnormal command, and then identify whether the current command is an abnormal command.

Optionally, the alarm is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and comprehensively process the abnormal command probabilities corresponding to these abnormal commands, It is judged whether the preset alarm condition is satisfied according to the value after comprehensive processing.

Optionally, the command analyzer includes: a filtering module configured to filter the current commands received by the centralized data collector using preset suspicious rules, and output the current commands hit by the suspicious rules to A classification module, and output the warning weight of the current command hit by the suspicious rule, and the warning weight is obtained based on the overall hit rate of the command by the suspicious rule; the classification module is configured to be based on the training of the existing classification model The sample set further classifies the current command input from the filtering module to obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify whether the current command is an abnormal command.

Optionally, the command analyzer further includes: a learning module configured to perform machine learning after combining the newly added current command with an existing training sample set, and update the existing training sample set used by the classification module.

Optionally, the alarm is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and compare the abnormal command probability corresponding to each abnormal command with the alarm weight. The corresponding alarm indices are obtained by multiplying, and the alarm indices of these abnormal commands are integrated, and it is judged whether the preset alarm conditions are satisfied according to the integrated values.

The embodiment of the present invention also discloses a system for analyzing commands executed on each host, including the analysis device as described above and several host terminals; the several host terminals are configured to at least The current command and its host ID are transmitted to the centralized data collector through the network.

Optionally, the host terminal includes: a command sending module, which is configured to transform the command parser shell of each host, and increase the host current command and host IP received by the shell to the centralized data collector The function.

Optionally, it also includes: a monitor configured to monitor the deployment of the command sending module in each host, when it is found that a new host has not deployed the command sending module or the command sending module on the host is found When the sending module fails, the IP of the host that has not deployed the command sending module or the command sending module fails automatically logs in to the host, and deploys the command sending module for it.

The embodiment of the present invention also discloses a method for analyzing commands executed on each host, including: collecting the current commands transmitted by each host through the network and the identification of the host to which they belong; identifying the collected current commands , at least identifying abnormal commands and normal commands; judging whether the alarm conditions are met according to the above identification results, and if so, sending out an alarm message indicating that the corresponding host is abnormal.

Optionally, the step of identifying the collected current commands includes: filtering the collected current commands using preset suspicious rules, identifying the current commands hit by the suspicious rules as abnormal commands, and obtaining The warning weight of the abnormal command hit by the suspicious rule, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command; the step of judging whether the warning condition is met according to the above recognition result includes: according to the The alarm weight of the abnormal command judges whether the alarm condition is met.

Optionally, the alarm weight of the abnormal command is obtained in the following manner: by using the overall hit rate of the suspicious rule on existing commands as an independent variable, the abnormal command hit by the suspicious rule is obtained by a monotonically decreasing function warning weight.

Optionally, count all abnormal commands identified on a certain host within an alarm cycle, perform comprehensive processing on the corresponding alarm weights of these abnormal commands, and judge whether the preset values are satisfied according to the comprehensively processed values. Alarm condition.

Optionally, the identifying the collected current commands includes: according to the training sample set of the existing classification model, classifying the received current commands to obtain the probability that the current command is a normal command and the probability that it is an abnormal command, Then it is identified whether the current command is an abnormal command.

Optionally, the step of judging whether the alarm condition is met according to the identification result includes: counting all abnormal commands on a certain host identified within an alarm period, and comprehensively processing the abnormal command probabilities corresponding to these abnormal commands , judging whether the preset alarm condition is satisfied according to the integrated value.

Optionally, the identifying the collected current commands includes: filtering the received current commands using preset suspicious rules, filtering out the current commands hit by the suspicious rules, and outputting the current commands hit by the suspicious rules. The alarm weight of the hit current command, the alarm weight is obtained based on the overall hit rate of the suspicious rule to the command; according to the training sample set of the existing classification model, the above-mentioned current command that is screened out is further classified to obtain the current command The probability of being a normal command and the probability of being an abnormal command are used to identify whether the current command is an abnormal command.

Optionally, it also includes: performing machine learning after merging the newly added current command with the existing training sample set, and updating the existing training sample set used for classification.

Optionally, the step of judging whether the alarm condition is met according to the identification result includes: counting all abnormal commands on a certain host identified within an alarm period, and calculating the abnormal command probability and alarm weight corresponding to each abnormal command Multiply the corresponding alarm indices to obtain the corresponding alarm indices, perform comprehensive processing on the alarm indices of these abnormal commands, and judge whether the preset alarm conditions are met according to the integrated value.

Optionally, the step of collecting the current commands transmitted by each host through the network and the identification of the hosts to which they belong includes: transforming the command parser shell of each host, adding the host current command and host IP received by the shell A function that is transmitted to a designated device through the network, and uses the function to collect the current commands of the hosts and the IDs of the hosts they belong to.

Optionally, it also includes: monitoring the events of each host transmitting the current command and the ID of the host to which it belongs, and when it is found that there is a new host that has not undergone the above-mentioned shell modification or the modification fails, automatically log in to the host through the IP of the host to serve as its Deploy a retrofit of the above shell.

According to the analysis equipment for analyzing the commands executed on each host of the present invention, in a network system including several hosts, the current commands transmitted by each host through the network and the identifier of the host to which the current command belongs can be collected, and the collected current Effectively identify the commands with certain operational risks among the commands, judge whether the command input on the host is abnormal or normal, and when the host has an abnormal command input and meets the alarm conditions, it will promptly issue an alarm about the abnormality of the corresponding host information, which solves the problem of bad influence on the stable operation of the host and even the entire system when dangerous commands are entered on the host in the system due to misoperation by the administrator, hacker attacks, etc. An alarm is issued for dangerous commands entered, which improves the security of the system.

The above description is only an overview of the technical solution of the present invention. In order to better understand the technical means of the present invention, it can be implemented according to the contents of the description, and in order to make the above and other purposes, features and advantages of the present invention more obvious and understandable , the specific embodiments of the present invention are enumerated below.

Description of drawings

Various other advantages and benefits will become apparent to those of ordinary skill in the art upon reading the following detailed description of the preferred embodiment. The drawings are only for the purpose of illustrating a preferred embodiment and are not to be considered as limiting the invention. Also throughout the drawings, the same reference numerals are used to designate the same parts. In the attached picture:

FIG. 1 shows a schematic diagram of an analysis system for analyzing commands executed on each host according to an embodiment of the present invention;

FIG. 2 shows a flowchart of an analysis method for analyzing commands executed on each host according to an embodiment of the present invention; and,

Fig. 3 shows a schematic diagram of a specific application according to an embodiment of the present invention.

Detailed ways

Exemplary embodiments of the present disclosure will be described in more detail below with reference to the accompanying drawings. Although exemplary embodiments of the present disclosure are shown in the drawings, it should be understood that the present disclosure may be embodied in various forms and should not be limited by the embodiments set forth herein. Rather, these embodiments are provided for more thorough understanding of the present disclosure and to fully convey the scope of the present disclosure to those skilled in the art.

Please refer to FIG. 1, which shows a system for analyzing commands executed on each host according to an embodiment of the present invention, the system includes several host terminals 210 and an analysis system for analyzing commands executed on each host device 100. Wherein, the analysis device 100 specifically includes a centralized data collector 110 , a command analyzer 120 and an alarm 130 , each host terminal 210 includes a command sending module 2102 , and each host terminal 210 is coupled to the centralized data collector 110 . The analysis device for analyzing commands executed on each host and the specific implementation manners of each component will be specifically introduced below.

A network system is generally composed of multiple host terminals 210, and the host terminals 210 may be computer entities or virtual machines running on computer devices. Multiple host terminals can complete different divisions of labor, and various commands can be run on each terminal to perform operations on the system such as power on and off, file operations, system configuration, installation/uninstallation of software, etc., among the commands entered may be There are commands that may cause potential harm to the system operation, so it is necessary to identify these commands that may cause potential harm through the analysis device 100. The first choice is to transmit the current command executed on each host and the host identification to the analysis device 100 through the network. , the host ID can be the host name and/or IP address of each host in the network system, etc. The purpose of the analysis device 100 to obtain the host ID is mainly to determine which host issued the currently input command, so that once the command is at risk , can issue an alarm message under certain conditions. In order to accurately and comprehensively transmit the commands executed on each host to the analysis device 110 , it is necessary to set a command sending module 2102 in each host terminal 210 .

First, the command sending module 2102 transmits the current command on each host and the ID of the host to which it belongs to the centralized data collector 110 through the network. For example, the command sending module 2102 modifies the command parser shell of each host, and adds a function of transmitting the current host command and host IP received by the command parser shell to a designated device (such as the centralized data collector 110). For example, in a UNIX-like operating system, the common shells include bash, csh, tcsh, etc. Taking bash as an example, the add_history function can be modified, and specifically talker(char*host,char*message) can be added to it. The call of the function is implemented by the talker function to transmit the current command message input on the current host to the centralized data collector 110 . This transmission of the current command input can be real-time, that is, once a command input occurs on the monitored host terminal 210, the input command will be transmitted to the centralized data recovery device 110, and the monitored host terminal 210 can also be sent The command input above is stored in the form of the log shell_log, and the shell_log log is transmitted to the centralized data collector 110 when certain conditions are reached, for example, when a certain time period is reached, or when the shell_log file reaches a certain size, the shell_log file is transmitted To the centralized data reclaimer 110.

After each host terminal 210 transmits the command executed on each host and the identifier of the host through the network to several data collectors 110 through the command sending module 2102, the centralized data collector 110 can collect the The command input, and the command input on which host computer, optionally, all received commands can be saved to a database, and then data preparation is done for analyzing the current command, and the command analyzer 120 is coupled to Centralize the data collector 110, and the subsequent specific analysis work is mainly completed by the command analyzer 120.

The command analyzer 120 identifies the current commands collected by the centralized data collector 110, at least identifying abnormal commands and normal commands. Among them, the abnormal command is a command that may potentially threaten the normal operation of the system, and the normal command is a command that does not threaten the normal operation of the system. Specifically, when the command analyzer 120 is implemented to recognize commands, there may be multiple implementation manners, and several implementation manners of the command analyzer 120 will be introduced in detail below.

Implementation method one:

The command analyzer 120 may include a filtering module 1202, through which the current command received by the centralized data collector 110 is filtered using preset suspicious rules, and the current command hit by the suspicious rule is identified as an abnormal command, and output is The warning weight of the abnormal command hit by the suspicious rule. Here, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command. The preset suspicious rules can be pre-generated based on the characteristics of common dangerous operations. Each suspicious rule includes at least one characteristic identifier of dangerous operations. There are many kinds of characteristic identifiers of dangerous operations according to the actual situation, such as one of the following situations or more: add an account; open, modify, or delete key attributes of sensitive files; view or modify passwords of sensitive files; change network settings; elevate user privileges; change firewall settings; view system logs; compile code; have sensitive words; change File permissions and attributes; shutdown/restart; display specific file content; establish network links and download files from specified addresses, etc. Suspicious rules can be implemented in the form of regular expressions, that is, the characteristic identification information of dangerous operations is reflected in the regular expressions, so that the commands with these dangerous operation characteristic identifications are filtered out through the preset regular expression rules, that is, regular The expression rules are matched with the collected current commands, and the abnormal commands that hit the suspicious rules are filtered out, while the commands that are not hit by the suspicious rules can be regarded as normal commands. In addition, each regular expression may only be able to filter commands of a specific format or specific content, so in practical applications, it is more likely to use multiple regular expressions for multiple rounds of filtering, which will hit suspicious rules The commands of any suspicious rule in the group are determined as suspicious commands and filtered, and the commands that do not match all the rules are determined as normal commands.

During the filtering process, the overall hit rate of each suspicious rule can also be counted. The so-called overall hit rate of suspicious rules refers to the number or times of abnormal commands hit by each suspicious rule in all commands, accounting for all commands. proportion. For example, the behavior of viewing passwords can usually be understood as an unauthorized behavior of illegally obtaining passwords, and obtaining passwords can be achieved by opening password files with some commands. For example, in Linux operating systems, password files are generally stored Under a specific path, and named with a specific file name, and the Linux operating system provides a command to view the contents of a specific file, which provides a possible way to illegally obtain the password. For example, when you have sufficient permissions, execute the command: cat /etc/passwd to view the password content saved in the password file passwd. In order to filter such commands, regular expressions can be used:

.*[\s\W]+passwd.*|^passwd.* and,

.*passwd.*

Through these two suspicious rules in the form of regular expressions, all commands containing the sensitive keyword "passwd" can be filtered out.

Suppose one of the suspicious rules filters a total of 4,651,629 commands and hits 7,915 of them, then the 7,915 hit commands can be regarded as suspicious commands, and the overall hit rate corresponding to this suspicious rule can pass: the suspicious Suspicious commands hit by the rule/all commands detected by it are obtained. For example, in this example, the overall hit rate of the suspicious rule is:

7915/4651629≈0.001702

After the overall hit rate is counted, the filtering module 1202 outputs the alarm weight of the abnormal command hit by the suspicious rule, and the alarm weight can be obtained based on the overall hit rate of the command by the suspicious rule. Specifically, when the warning weight is obtained based on the overall hit rate of the suspicious rule to the command, the value of the abnormal command hit by the suspicious rule can be obtained by using the monotonically decreasing function of the overall hit rate of the suspicious rule to the existing command as an independent variable. Alert weight. For example, if the overall hit rate is recorded as Pa, the alarm weight of the abnormal command hit by the suspicious rule can be obtained by using the overall hit rate as an independent variable monotonically decreasing function (1-Pa)*D, where D is a constant. For example, in the above example, the hit rate Pa of a rule can be 0.001702, which can be calculated according to

(1-Pa)*D=(1-0.001702)*100≈99.8

Where D is 100, then the warning weight of the abnormal command hit by the suspicious rule is about 99.8.

The reason why the overall hit rate is used as a monotonically decreasing function of the independent variable is that in practical applications, the abnormal command hit by a suspicious rule is actually a suspiciously dangerous command. High, indicating that the command hit by the suspicious rule may be a relatively common command, but based on the actual situation, after all, there are only a few truly abnormal commands, so logically speaking, if a certain suspicious rule hits commands more times or with a higher frequency , then the possibility that the command hit by this suspicious rule is a real abnormal command is relatively low. The reason why it is hit by a suspicious rule is probably because the suspicious rule is a relatively "strict" rule, and then it can be considered that the rule The hit command is less dangerous, therefore, the abnormal command hit by it can take a smaller alarm weight.

The alarm weight value output by the filtering module 1202 can be used as the basis for the alarm device 130 to obtain the alarm weight value, and this part will be described in detail in the subsequent content of the alarm device 130 .

Implementation method two:

The command analyzer 120 can include a learning module 1206 and a classification module 1204 .

The learning module 1206 mainly performs machine learning on the training sample set, and then provides various required prior parameters for the classification module 1204 . Since the classification module 1204 can be implemented based on various classification principles such as Bayesian, logistic regression, partial least squares or decision tree, correspondingly, the learning module also needs to provide different prior parameters according to different classification modules 1204 . Taking the classification module 1204 implemented based on the Bayesian principle and the learning module 1206 providing various prior probabilities required for the classification module 1204 as an example, the two modules will be described in detail below.

The learning module 1206 performs machine learning on known training sample sets. The training sample set includes a certain number of known commands, and it is known whether these commands are abnormal commands. The fields obtained by segmenting the known commands in the training sample set can be regarded as feature words related to the command. These feature words can be the command string itself, such as cat, wget, etc., and can also include parameters extracted from the command content. Such as the command:

wget-o http://www.sina.com/dasd/hahah/tad.tgz/usr/loca/dasd/etc/passwd for word segmentation, you can get the following set of feature words:

{'wget','-o','http','www.sina.com','dasd','hahah','tad.tgz','usr','loca','dasd','etc ','passwd','www','sina','com'}

Specifically, when segmenting commands to obtain feature words, you can use regular expression tools, for example, you can use

[_\$]*[a-zA-Z\d\._\-]+[^\w\(/;=\-\)\[\]\{\}:>&\?\.\ \\s,\d'"\%<]*

Divide the command, you can also use regular expressions

((\w+\.){1,6}(?:net|cn|com|gov|edu|asia|me|co))

Identify the URL in the command, so that the command example above can be segmented to obtain a set of feature words based on the command.

Since it is known whether the command is abnormal in the training sample set, the probability of abnormal command occurrence can be obtained by (the number of abnormal commands/the total amount of commands in the training sample set), and the probability of normal commands can be obtained by (the number of normal commands/the total number of commands in the training sample set command total) obtained. In addition, by segmenting the commands in the training sample set, the probabilities of each feature word appearing in abnormal commands and normal commands can also be obtained statistically, so the learning module 1206 can obtain the above prior probabilities. Then, these prior probability data are provided to the classification module 1204 for use, so that the classification module 1204 can classify the current command to be analyzed.

It can be seen that, according to the training sample set of the existing classification model (specifically, the learning module 1206 provides some prior probabilities to the classification module 1204 after performing machine learning on the training sample set of the existing classification model), the classification module 1204 centralizes the data collector 110 The received current command is classified to obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify whether the current command is an abnormal command.

The Bayesian classification method is taken as an example below to introduce the classification module 1204 in detail.

The Bayesian classification method is a statistical classification method, which is a class of algorithms that use probability statistics for classification. In many applications, the naive Bayesian classification method can obtain very accurate classification results, and the Bayesian classification method itself has the characteristics of easy implementation, high classification accuracy and fast speed. The principle of the Bayesian classification method is Through the prior probability of the object, the Bayesian formula is used to calculate its posterior probability, that is, the probability that the object belongs to a certain class, and the class with the largest posterior probability is selected as the class to which the object belongs. In the embodiment of the present invention, the classification module 1204 can use the Bayesian classification method to identify whether the current command is an abnormal command, and the implementation process will be described in detail below.

The Bayesian classification method is used to implement the classification module 1204. Its essence is to realize whether the commands known to be abnormal in the training sample set, the probabilities of occurrence of abnormal commands and normal commands, and the abnormality of each field obtained by word segmentation according to the known commands are realized. Command and normal command occurrence probability to obtain the probability that the command is a normal command and the probability that the command is an abnormal command when a command is given and a certain/certain field appears in the given command, and then determine the The category to which the command belongs. This process is to train the classification module 1204 according to the training sample set. Through the training, the classification module 1204 can obtain a priori probability, and then can identify which category the current command belongs to according to the Bayesian classification method, that is, the ability to belong to abnormal commands or normal commands.

When a current command of unknown classification is given, it is judged whether it belongs to an abnormal command or a normal command. To classify it using the Bayesian classification method, it is first necessary to segment the current command. When segmenting the current command, the same This can be achieved using regular expressions. Assume

x={w ₁ ,w ₂ ,w ₃ ,…,w _n } is the set of feature words obtained by word segmentation of the current command of the unknown category;

y={y ₁ =good,y ₂ =bad} is a collection of categories, where y ₁ =good represents the classification of normal commands, and y ₂ =bad represents the classification of abnormal commands; next, we need to obtain P(y ₁ |x), P(y ₂ |x), where P(y ₁ |x) represents the probability that it belongs to a normal command when the current command contains each feature word in the set x, and P(y ₂ |x) represents the probability that the current command contains the set When each characteristic word in x, it belongs to the probability of abnormal command. Compare the values of P(y ₁ |x) and P(y ₂ |x), and determine the classification of the current command according to the comparison result. For example, the larger of the two values is taken as the classification of the current command, or when the difference between the two reaches a certain threshold, the larger of the two is taken as the classification of the current command. The following describes how to obtain P(y ₁ |x) and P(y ₂ |x).

According to the Bayesian classification method, there are the following acquisition methods:

P(y ₁ |x)=P(x|y ₁ )*P(y ₁ )/P(x)

P(y ₂ |x)=P(x|y ₂ )*P(y ₂ )/P(x)

Among them, P(x) is an equal constant for the two categories of y ₁ =good and y ₂ =bad. Therefore, only P(x|y ₁ )*P(y ₁ ), and P(x|y ₂ )*P(y ₂ ) is enough.

The probability P(y ₁ ) of normal commands and the probability P(y ₂ ) of abnormal commands can be determined according to the frequency of normal commands and abnormal commands in the training sample set. For example, a total of 4,651,629 commands were collected in the training sample set, and there were 68,440 abnormal commands, the probability P(y ₂ ) of abnormal commands is:

68440/4651629≈0.014713

The probability of the corresponding normal command appearing is P(y ₁ )≈(1-P(y ₂ ))=0.985287.

Since P(x|y ₁ )=P([w ₁ ,w ₂ ,w ₃ ,…,w _n ]|y ₁ ), and w ₁ ,w ₂ ,w ₃ ,…,w _n can be considered conditionally independent , we can decompose P([w ₁ ,w ₂ ,w ₃ ,…,w _n ]|y ₁ ) into:

P(w ₁ |y ₁ )*P(w ₂ |y ₁ )*P(w ₃ |y ₁ )*…*P(w _n |y ₁ )

Among them, P(w ₁ |y ₁ ), P(w ₂ |y ₁ ), P(w ₃ |y ₁ ), ..., P(w _n |y ₁ ), represent the feature words in the set x The probability of appearing in normal commands and the probability values represented by these items can be calculated by the probability of target feature words appearing in normal commands in the training sample set. The principle of obtaining P(x|y ₂ ) is similar to the method of obtaining P(x|y ₁ ), and will not be repeated here. It should be noted that when obtaining the product of P(w ₁ |y ₁ ), P(w ₂ |y ₁ ), P(w ₃ |y ₁ ), ..., P(w _n |y ₁ ), due to The values of each item belong to the (0,1) interval, resulting in the result obtained after multiplication of each item is often close to 0, and even the calculation result may be equal to 0 because it exceeds the range of floating-point numbers that the computer can express. Optionally, you can also add:

P(w ₁ |y ₁ )*P(w ₂ |y ₁ )*P(w ₃ |y ₁ )*…*P(w _n |y ₁ ) is transformed into logarithmic sum form, for example, transformed into:

So far, the items in P(x|y ₁ )*P(y ₁ )/P(x) and the items in P(x|y ₂ )*P(y ₂ )/P(x) can pass The above method obtains, that is, obtains the values of P(y ₁ |x) and P(y ₂ |x), and then it can be determined according to the values of P(y ₁ |x) and P(y ₂ |x) When a command contains each characteristic word in the set x, it belongs to a normal command or an abnormal command.

The classification module 1204 implemented by the Bayesian classification method has been introduced above. In practical applications, the classification module implemented by this method can learn based on the training sample set, and can obtain very accurate classification results for the current input command. The classification method It is easy to implement itself, with high classification accuracy and fast speed.

It should be noted that, in addition to using the Bayesian classification method to classify the input commands, the classification module 1204 may also be implemented by using logistic regression, partial least square method, decision tree, and the like. The classification module 1204 realized by different methods, its data training learning and recognition process will be different due to different methods, but it can also classify the current command input very accurately, and identify whether the current command is a normal command or an abnormal command . For example, in the classification module 1204 implemented using a decision tree, it is necessary to first perform training according to the data in the training sample set to generate a decision tree model. When it is necessary to judge the classification of the current command input, the current command can be segmented first, Substitute the obtained feature words into the decision tree model to calculate which category it belongs to, and then determine whether the current command is a normal command or an abnormal command. Other implementation methods of the classification module 1204 can be divided into the process of learning and training according to the training sample set, producing a judgment model, and then using the judgment model to judge the input current command, which will not be repeated here.

In addition, in practical applications, Bayesian classification methods, logistic regression, partial least squares or decision trees are used to implement the classification module 1204, and the output result is an approximate value close to the real situation. This approximate value can only be obtained when the training samples Only when the concentrated training samples reach a certain scale can the desired accuracy be achieved. In other words, the more training samples that can be collected, the more reliable the trained classification module 1204 is, and the closer the output results are to actual situation. Therefore, in actual use, it is necessary to continuously expand the data of the training sample set. The learning module 1206 uses the newly added current command as a part of the training samples, and performs machine learning after merging with the existing training sample set, thereby updating to The various prior parameters provided by the classification module 1204 further enable the classification module 1204 to use more abundant training samples for learning and training, further improve the recognition accuracy of the classification module 1204, and make the recognition result of the current input command more accurate.

Implementation method three:

The command analyzer 120 may include a filtering module 1202, a classification module 1204, and a learning module 1206. The filtering module 1202 filters the commands received by the centralized data collector 110 using preset suspicious rules, and outputs the commands hit by the suspicious rules. to the classification module 1204, and output the warning weight of the command hit by the suspicious rule, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command; the classification module 1204 is coupled to the filtering module 1202, according to the existing classification model The training sample set further classifies the current command input from the filtering module 1202 to obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify whether the current command is an abnormal command. The learning module 1206 in this implementation is similar to the learning module 1206 in the second specific implementation. It still performs machine learning on the existing sample training sample set, and when there is a new command, the new command is combined with the existing training sample. Machine learning is performed after the collections are merged, so as to provide various prior parameters required by the classification module 1204 .

The implementation method here combines the implementation methods of the first implementation method and the second implementation method. First, the current command received by the centralized data collector 110 is filtered by the filtering module 1202 using preset suspicious rules. The preset suspicious rules can be preset The preset regular expression rules, through the preset regular expression rules, perform batch matching with the current commands to be collected, and filter out the abnormal commands that hit suspicious rules, while the commands that are not hit by suspicious rules can be regarded as normal Order. And output the warning weight of the current command hit by the suspicious rule. The warning weight is obtained based on the overall hit rate of the suspicious rule to the command. The method of obtaining the warning weight based on the overall hit rate of the suspicious rule to the command can refer to the implementation method 1 , which will not be repeated here.

Furthermore, the filtering module 1202 outputs the commands hit by suspicious rules to the classification module 1204, and the classification module 1204 further judges the commands hit by suspicious rules to identify whether the current command is a normal command or an abnormal command. Wherein, the specific implementation manner of the classification module 1204 is similar to that of the classification module 1204 in the second implementation manner above, so it will not be repeated here. In this implementation mode, the commands hit by the suspicious rules of the filtering module 1202 are input to the classification module 1204 for further judgment, so that the judgment of whether the currently input command is an abnormal command is more accurate, and the judgment can be made to a large extent. Further avoid the occurrence of misjudgment.

After the command analyzer 120 identifies the abnormal command through the above-mentioned various methods, it provides the command to the alarm module 130 . The alarm module 130 judges whether the alarm condition is satisfied according to the recognition result of the command analyzer 120, and if so, sends out an alarm message indicating that the corresponding host is abnormal. There are various ways to send out the alarm information. For example, it can send an email containing the alarm information of the abnormality of the host to the reserved email address, or send an alarm of the abnormality of the host to the reserved phone number. The way of information, information and so on. As before, there is a corresponding relationship between the commands executed on each host and the host it executes. When the alarm conditions are met, an alarm message indicating that the corresponding host executing the abnormal command is abnormal can be issued, and the corresponding host can be dealt with in a timely manner.

Specifically, when realizing the alarm device 130, the alarm device 130 can count the number of times that the abnormal commands of each host appear in a certain period of time, and judge whether the number of times in this cycle reaches the preset threshold value. Abnormal warning information. For example, the preset setting is that if a host has more than 10 abnormal commands within 5 minutes, an alarm message will be issued, and if a host is detected to enter 11 abnormal commands within a 5-minute period, an alarm message will be issued. Abnormal warning information. In addition to this warning method, in order to realize a more flexible and accurate warning, the alarm device 130 may also be implemented in other ways. Other ways of implementing the alarm 130 will be introduced below.

The alerter 130 may have different implementations corresponding to different implementations of the command analyzer 120 . As corresponding to the aforementioned first implementation of the command analyzer 120, the alarm device 130 can determine whether the alarm condition is met according to the alarm weight determined by the overall hit rate corresponding to the command that is hit by the suspicious rule when an abnormal command appears, and then When the alarm condition is met, an alarm message indicating that the corresponding host is abnormal is issued. During specific implementation, the alarm device 130 can also count all abnormal commands on a certain host computer identified by the command analyzer 120 within an alarm period, and perform comprehensive processing on the corresponding alarm weights of these abnormal commands. According to the comprehensive processing The final value judges whether the preset alarm condition is met. For example, the output of the command analyzer 120 corresponds to the abnormal command hit by each suspicious rule and the corresponding alarm weight as follows:

cmd001 - 99.8

cmd003 - 30.0

cmd004 - 95.3

cmd005 - 99.8

Within the preset time period, the preset alarm condition is that the sum of the alarm weights of all abnormal commands that appear reaches the preset alarm threshold. For example, the preset alarm condition is within a time period of 5 minutes, and the alarm weight When the sum of the values reaches 1000, an alarm message will be issued, and the number of occurrences of the above abnormal commands within 5 minutes is as follows:

cmd001 - 2 times

cmd003 - 1 time

cmd004 - 3 times

cmd005 - 5 times

According to the above-mentioned alarm weights and occurrence times of each abnormal command, the sum of the alarm weights in the 5 minutes is 1014.5. It can be seen that the sum of the alarm weights in the 5 minutes has exceeded the preset alarm threshold, and the corresponding host exists Abnormal warning information.

It can be seen that the "comprehensive processing" of the alarm weight corresponding to the abnormal command can be different according to the specific alarm method. As in the above example, it can be the product of the number of occurrences of each abnormal command and the corresponding alarm weight accumulation, or directly accumulate the warning weight of each abnormal command (if a certain command appears multiple times in one warning cycle, the warning weight of the command will be accumulated multiple times) if the final result reaches the preset threshold A warning message is issued. It should be noted that the reason why the alarm weights corresponding to all abnormal commands of a certain host within an alarm cycle are comprehensively processed, and then judge whether an alarm is needed is mainly to reduce false alarms as much as possible, because Often when there are truly dangerous commands, multiple abnormal commands may appear in a short period of time, so a better way is to comprehensively analyze their alarm weights for all abnormal commands within a certain period of time (that is, within an alarm period). Rather than just looking at the warning weight of a certain abnormal command alone. Therefore, it can be understood that there are various methods of comprehensive processing, such as the accumulation of multiple alarm weights mentioned above, or the multiplication of multiple alarm weights to obtain logarithms, etc. It all depends on the actual needs. , these feasible ways are all within the protection scope of the present invention. Moreover, for different implementations of the command analyzer 120, since the way of obtaining the warning weight and the final numerical expression of the warning weight can be different, the "comprehensive processing" of the warning weight corresponding to the abnormal command Correspondence may also be different.

When the command analyzer 120 is implemented in the manner of the second implementation, the classification module 1204 included in the command analyzer 120 can obtain the probability that the current command is a normal command and an abnormal command. At this time, the alarm 130 can count the The command analyzer 120 integrates all the abnormal commands on a certain host identified by the corresponding abnormal command probabilities, and judges whether the preset alarm conditions are satisfied according to the integrated values. For example, within a preset time period of 5 minutes, the abnormal commands input by a certain host, the number of occurrences of each abnormal command, and the probability that each abnormal command is an abnormal command are as follows:

cmd001 - 2 times - 0.95

cmd003 - 1 time - 0.89

cmd004 - 3 times - 0.98

cmd005 - 5 times - 0.90

When the probabilities of abnormal commands corresponding to these abnormal commands are comprehensively processed, the sum of the product of the probability of each abnormal command and the number of occurrences can be summed (or the probability of each abnormal command can be multiplied, if it occurs multiple times, the cumulative multiplication Multiple times), as the reference data for whether to give an alarm. For example, in this example, the obtained reference data is 10.23. If the preset alarm condition is that the reference data is higher than 10, it is judged that the result of the integrated processing meets the preset alarm condition, and an alarm message indicating that the corresponding host is abnormal is issued. Similar to the above-mentioned specific implementation methods of comprehensive processing, there can also be multiple specific implementation methods of comprehensive processing in this example, and the specific methods of comprehensive processing can be adjusted according to the actual situation, as long as it can It shows that it is only necessary to combine the probabilities of multiple abnormal commands to determine whether to give an alarm.

In the command analyzer 120 implemented in the third implementation mode, the current command received by the centralized data collector 110 can be filtered through the filtering module 1202 using preset suspicious rules, and the alarm weight of the current command hit by the suspicious rule can be output. And the classification module 1204 further judges the current command hit by the suspicious rule, identifies whether the current command is a normal command or an abnormal command, and obtains the probability that the current command is a normal command and the probability of an abnormal command respectively. In this way of implementation, when the alarm device 130 is implemented, it can count all the abnormal commands on a certain host identified by the command analyzer 120 within an alarm period, and calculate the abnormal command probability and alarm power corresponding to each abnormal command. Values are multiplied to obtain the corresponding alarm index, and the alarm indices of these abnormal commands are integrated, and it is judged whether the preset alarm condition is met according to the integrated value. For example, within the preset time period of 5 minutes, the abnormal command input by a host, the corresponding abnormal command probability, alarm weight and the number of occurrences of each abnormal command are shown in Table 1:

Table 1

abnormal command Abnormal command probability Alarm weight Warning index The number of occurrences cmd001 0.95 99.8 98.41 2 cmd003 0.89 90.0 80.10 1 cmd004 0.98 95.3 93.39 3 cmd005 0.90 99.8 89.82 5

At this time, when comprehensively processing the alarm index of the abnormal command, the alarm index corresponding to each abnormal command can be accumulated. Optionally, or in other words, the sum of the products of the warning index corresponding to each abnormal command and the number of occurrences is taken as the reference data for whether to issue warning information. For example, in the above table, the reference value obtained by comprehensively processing the alarm index of the abnormal command is 1006.19. If the preset alarm condition is a preset alarm threshold of 1000 and the reference value is higher than the alarm threshold, it will be issued. Alarm information, then in this example, the reference value obtained by comprehensively processing the alarm index of the abnormal command is 1006.19, which is higher than the preset alarm threshold and meets the preset conditions for sending alarm information, and an alarm about the abnormality of the corresponding host is issued information.

So far, the above-mentioned system for analyzing the commands executed on each host can better complete the analysis and alarm of the commands executed on each host. In order to realize the closed-loop monitoring of each host terminal and improve the security of the entire network system, the system may further include a monitor 220 through which the deployment of the command sending module 2102 in each host is monitored. Specifically, on the one hand, the monitor 220 can obtain the information of each host terminal deployed in the system, such as the host IP of each host terminal; In this way, by comparison, the monitor 220 can know which commands executed on the hosts have not been successfully transmitted to the centralized data collector 110 .

If the host terminal that has deployed the command sending module 2102 does not correctly transmit the command to the centralized data collector 110, it means that the command sending module 2102 on the host terminal is invalid; If the command is transmitted to the centralized data collector 110, it means that the command sending module 2102 has not been deployed on the host terminal. After the monitor 220 discovers the above two situations, it can be processed in time. For example, when it is found that there is a new host that has not deployed the command sending module 2102 or when it is found that the command sending module 2102 on the host fails, it can pass the undeployed command sending module. 2102 or the IP of the host whose command sending module 2102 fails is automatically logged on to the host, and the command sending module 2102 is deployed for it. It can be seen that the command sending module 2102 on each host is monitored in real time by the monitor 220, and the command sending module 2102 that cannot operate normally, or the situation of the host computer that has not deployed the command sending module 2102 newly added, can be found in time. Furthermore, when an abnormality is found, the host that cannot run the command sending module 2102 can be adjusted in time, or the command sending module 2102 can be deployed on a newly added host that has not deployed the command sending module 2102 . This ensures that the entire system can realize closed-loop monitoring, discover and solve problems by itself, and better ensure the accuracy of command analysis results and alarms.

The analysis device and system provided by the embodiments of the present invention for analyzing commands executed on each host are described above. Corresponding to the analysis device and system for analyzing commands executed on each host provided by the embodiment of the present invention, the embodiment of the present invention also provides an analysis method for analyzing commands executed on each host.

Please refer to FIG. 2 , the method starts at step S210, first collecting the current commands transmitted by each host through the network and the IDs of the hosts to which they belong. When collecting the current commands transmitted by each host through the network and the host IDs to which they belong, the shell of the command parser of each host can be modified to add the function of transmitting the current command of the host and the host IP received by the shell to the specified device through the network , use the function to collect the current command of each host and the ID of the host to which it belongs. Step S210 can be executed by the aforementioned centralized data collector 110 , and its relevant technical features can refer to the foregoing description of the centralized data collector 110 in the embodiment, and will not be repeated here. In addition, it is also possible to monitor the events of each host transmitting the current command and its own host ID. When it is found that a new host has not undergone the above-mentioned shell transformation or the transformation fails, it will automatically log in to the host through the host IP to deploy the above-mentioned shell for it. In order to facilitate timely discovery of hosts that cannot normally transmit commands or host IDs, or newly added hosts that have not added transmission functions, timely adjustments are made to these hosts, thereby realizing closed-loop monitoring of each host and improving the overall network system. security.

In step S210, the current commands of each host and the identifiers of the hosts are collected, and then step S220 may be executed to identify the collected current commands, at least to identify abnormal commands and normal commands. Specifically, when identifying the current command, there are also multiple implementation methods:

The first way is to filter the collected current commands with preset suspicious rules, identify the current commands hit by suspicious rules as abnormal commands, and obtain the alarm weight and alarm weight of abnormal commands hit by suspicious rules It is obtained based on the overall hit rate of the command by the suspicious rule, where the suspicious rule may be a regular expression rule. This implementation can be realized by the command analyzer 120 in the above system embodiment, specifically by the filter module 1202, so related technical features can refer to the relevant description of the filter module 1202 above, and will not be repeated here. Similarly, in addition to filtering out abnormal commands according to suspicious rules, the alarm weight of abnormal commands can also be obtained. It can also be obtained by using the overall hit rate of the suspicious rule on existing commands as an independent variable. For the alarm weight of the abnormal command hit by a suspicious rule, related technical features can also refer to the description of the alarm weight in the filter module 1202 in the previous system embodiment, and will not be repeated here.

The second implementation method is to classify the received current command according to the training sample set of the existing classification model, obtain the probability that the current command is a normal command and the probability that it is an abnormal command, and then identify whether the current command belongs to Unusual command. In this implementation, the classification model can be implemented based on methods such as Bayesian classification methods, logistic regression, partial least squares, or decision trees. The implementation process can be, first, based on the training sample set, using a classification method Carry out training and learning, and then when it is necessary to judge the classification of the current input command, the current command can be segmented first, and the obtained feature words can be substituted into the trained model to calculate which classification it belongs to, and then determine the current command. The command is either a normal command or an abnormal command. Of course, in order to improve the accuracy of classification, it is necessary to continuously enrich the data in the training sample set. Therefore, the newly added current command can be combined with the existing training sample set for machine learning to update the existing training sample set used for classification. This implementation can be executed by the command analyzer 120 in the above system embodiment, specifically by the classification module 1204 and the learning module 1206, that is, the second implementation of the command analyzer 120, so related technical features can refer to classification The description of module 1204 in the embodiment will not be repeated here.

The third implementation method can be understood as a combination of the previous two implementation methods, that is, firstly, the current command received is filtered by the preset suspicious rules, and the current command hit by the suspicious rule is filtered out, and the suspicious rule is output. The alarm weight of the current command hit by the rule, where the alarm weight is obtained based on the overall hit rate of the suspicious rule to the command; and then, according to the training sample set of the existing classification model, further classify the above-mentioned current command selected , to obtain the probability that the current command is a normal command and the probability that it is an abnormal command, and then identify whether the current command is an abnormal command. Thus, a more accurate identification result of whether the current command is an abnormal command can be obtained. This implementation can be performed by the command analyzer 120 in the third mode in the previous system embodiment, so related technical features can refer to the relevant descriptions of the filtering module 1202, the classification module 1204 and the learning module 1206 in the command analyzer 120, I won't repeat them here.

Classify the current commands input by each host through step S220, that is, execute step 230 after identifying abnormal commands, that is, judge whether the alarm condition is met according to the identification result, and if so, send out an alarm message indicating that the corresponding host is abnormal. Specifically, when sending the alarm information that the corresponding host is abnormal, the number of times the commands input by each host are identified as abnormal commands within a certain period of time can be counted, and it can be judged whether the number of abnormal commands within the period reaches the preset threshold. If it is reached, the alarm information about the abnormality of the corresponding host will be sent. For example, the preset setting is to send an alarm message when 10 or more commands appear within 5 minutes. The host has abnormal alarm information. In addition to this warning manner, in order to realize a more flexible and accurate warning, step S230 may also have different corresponding implementation manners according to different implementation manners of step 220 . For example, when step S220 filters out abnormal commands through preset suspicious rules, and outputs the alarm weight of the abnormal commands hit by the suspicious rules, step S230 can judge whether the alarm condition is satisfied according to the alarm weight of the abnormal command, and if so, send The alarm information, specifically, can be to count all abnormal commands on a certain host identified within an alarm cycle, comprehensively process the corresponding alarm weights of these abnormal commands, and judge whether the value meets the requirements after comprehensive processing. Preset alarm conditions, such as accumulating the corresponding alarm weights of the abnormal commands that occur each time, judging whether the accumulated alarm weight reaches the preset threshold within this cycle, and if so, sending out an alarm message corresponding to the abnormality of the host .

Another example is when S220 classifies the received current command according to the training sample set of the existing classification model, obtains the probability that the current command is a normal command and the probability that it is an abnormal command, and then identifies whether the current command is an abnormal command , the implementation of S230 may be to count all abnormal commands on a certain host computer identified within an alarm period, perform comprehensive processing on the corresponding abnormal command probabilities of these abnormal commands, and judge whether to meet the requirements according to the comprehensively processed values Preset alarm conditions. When the probabilities of abnormal commands corresponding to these abnormal commands are comprehensively processed, the sum of the product of the probability of each abnormal command and the number of occurrences can be used as the reference data for whether to give an alarm. Specifically, the obtained reference data can be combined with Compared with the preset alarm threshold, if it is higher than the preset alarm threshold, an alarm message indicating that the corresponding host is abnormal will be issued.

For another example, when step S220 is to filter the received current command using preset suspicious rules, filter out the current command hit by the suspicious rule, and output the alarm weight of the current command hit by the suspicious rule; then according to the existing classification The training sample set of the model further classifies the selected current commands to obtain the probability that the current command is a normal command and the probability that the current command is an abnormal command, and then identify whether the current command is an abnormal command. At this time, the warning weight can be obtained based on the overall hit rate of the suspicious rule to the command. When implementing step S230, it may be to count all abnormal commands on a certain host identified in an alarm period, multiply the abnormal command probability corresponding to each abnormal command and the alarm weight to obtain the corresponding alarm index, and combine these The alarm index of the abnormal command is comprehensively processed, and it is judged whether the preset alarm condition is satisfied according to the comprehensively processed value. The comprehensive processing can be to take the product of the alarm index corresponding to each abnormal command and the number of occurrences, and then add the sum, as the reference data for whether to issue an alarm message, and then compare the reference data with the preset alarm threshold , if the reference data exceeds the preset alarm threshold, an alarm message indicating that the corresponding host is abnormal is issued.

The above step S230 having multiple specific implementation manners can be executed by the alarm device 130 in the above system embodiment, so related technical features can refer to the description of the alarm device 130 above, which will not be repeated here.

The analysis equipment, system and method according to an embodiment of the present invention have been described in detail above. For better understanding, a specific application example of the embodiment of the present invention is given below. Please refer to FIG. 3, which shows A specific application schematic diagram according to an embodiment of the present invention is shown. In the figure, Linux/Unix/BSD Server is a host computer in a network system. In a network system, there can be several host computers equipped with Linux/Unix/BSD. The shell of the command parser is modified so that it has the ability to send input commands (that is, send shell_log) to the Receive Server (the receiving server, which is equivalent to the centralized data collector 110 in the previous article), and the Receive Server will receive the shell_log as the log The form is recorded in the database (database). By comparing the host IP information of each command in the database with the host IP information deployed in the system, it can be known whether all hosts have accurately transmitted the commands executed on them to the Receive Server to ensure that all Linux/Unix/BSD Server commands are sent normally. When there is a failure or a new host joins the network system, the command sending module can be automatically deployed to the failure or new host.

In the process of analyzing the commands, based on the data of the Database, the online learning function can be used to perform machine learning on the existing data in the database to generate a recognition model. When it is necessary to identify the currently input command, the generated model can be used to monitor and identify the input command in real time, and an alarm will be issued when an abnormal command is identified and the alarm condition is met. When an alarm occurs, an email containing the alarm information can be sent to the preset email address through E-mail, or a message containing the alarm information can be sent to the preset phone number through the SMS information center.

The analysis equipment, system, and method for analyzing commands executed on each host computer provided by the embodiments of the present invention have been introduced in detail above, and the analysis equipment, system, and method for analyzing commands executed on each host computer can be used in In a network system including several hosts, collect the current commands transmitted by each host through the network and the identification of the host to which the current command belongs, effectively identify the commands with certain operational risks among the collected current commands, and judge the input on the host. Whether the command is an abnormal command or a normal command, when the abnormal command input by the host meets the alarm condition, an alarm message indicating that the corresponding host is abnormal is issued, so that the abnormal command input on each host in the network system that has a certain degree of danger can be alarmed in time , improving the security of the system. This solves the problem of bad influence on the stable operation of the host and even the entire system when dangerous commands are input on the host in the system due to misoperation by the administrator, hacker attacks, etc. Alarms are issued for dangerous commands, which improves the security of the system.

The algorithms and displays presented herein are not inherently related to any particular computer, virtual system, or other device. Various generic systems can also be used with the teachings based on this. The structure required to construct such a system is apparent from the above description. Furthermore, the present invention is not specific to any particular programming language. It should be understood that various programming languages can be used to implement the content of the present invention described herein, and the above description of specific languages is for disclosing the best mode of the present invention.

In the description provided herein, numerous specific details are set forth. However, it is understood that embodiments of the invention may be practiced without these specific details. In some instances, well-known methods, structures and techniques have not been shown in detail in order not to obscure the understanding of this description.

Similarly, it should be appreciated that in the foregoing description of exemplary embodiments of the invention, in order to streamline this disclosure and to facilitate an understanding of one or more of the various inventive aspects, various features of the invention are sometimes grouped together in a single embodiment, figure, or its description. This method of disclosure, however, is not to be interpreted as reflecting an intention that the claimed invention requires more features than are expressly recited in each claim. Rather, as the following claims reflect, inventive aspects lie in less than all features of a single foregoing disclosed embodiment. Thus, the claims following the Detailed Description are hereby expressly incorporated into this Detailed Description, with each claim standing on its own as a separate embodiment of this invention.

Those skilled in the art can understand that the modules in the device in the embodiment can be adaptively changed and arranged in one or more devices different from the embodiment. Modules or units or components in the embodiments may be combined into one module or unit or component, and furthermore may be divided into a plurality of sub-modules or sub-units or sub-assemblies. All features disclosed in this specification (including accompanying claims, abstract and drawings), as well as any method or method so disclosed, may be used in any combination, except that at least some of such features and/or processes or units are mutually exclusive. All processes or units of equipment are combined. Each feature disclosed in this specification (including accompanying claims, abstract and drawings) may be replaced by alternative features serving the same, equivalent or similar purpose, unless expressly stated otherwise.

Furthermore, those skilled in the art will understand that although some embodiments described herein include some features included in other embodiments but not others, combinations of features from different embodiments are meant to be within the scope of the invention. and form different embodiments. For example, in the following claims, any of the claimed embodiments may be used in any combination.

The various component embodiments of the present invention may be implemented in hardware, or in software modules running on one or more processors, or in a combination thereof. Those skilled in the art should understand that a microprocessor or a digital signal processor (DSP) can be used in practice to implement some or all of the analysis devices for analyzing commands executed on each host according to the embodiments of the present invention Some or all of the features of the component. The present invention can also be implemented as an apparatus or an apparatus program (for example, a computer program and a computer program product) for performing a part or all of the methods described herein. Such a program for realizing the present invention may be stored on a computer-readable medium, or may be in the form of one or more signals. Such a signal may be downloaded from an Internet site, or provided on a carrier signal, or provided in any other form.

It should be noted that the above-mentioned embodiments illustrate rather than limit the invention, and that those skilled in the art will be able to design alternative embodiments without departing from the scope of the appended claims. In the claims, any reference signs placed between parentheses shall not be construed as limiting the claim. The word "comprising" does not exclude the presence of elements or steps not listed in a claim. The word "a" or "an" preceding an element does not exclude the presence of a plurality of such elements. The invention can be implemented by means of hardware comprising several distinct elements, and by means of a suitably programmed computer. In a unit claim enumerating several means, several of these means can be embodied by one and the same item of hardware. The use of the words first, second, and third, etc. does not indicate any order. These words can be interpreted as names.

The invention discloses A1, an analysis device for analyzing commands executed on each host, including:

The centralized data collector is configured to at least collect the current commands transmitted by each host terminal through the network and the identification of the host to which they belong;

A command analyzer configured to identify the current command collected by the centralized data collector, at least identifying abnormal commands and normal commands;

The alarm device is configured to judge whether the alarm condition is satisfied according to the recognition result of the command analyzer, and if so, send out alarm information that the corresponding host is abnormal.

A2, the analysis device as described in A1, the command analyzer includes a filtering module configured to filter the current command collected by the centralized data collector using a preset suspicious rule, and will be hit by the suspicious rule The current command is identified as an abnormal command, and the warning weight value of the abnormal command hit by the suspicious rule is output, and the warning weight value is obtained based on the overall hit rate of the suspicious rule to the command;

The alarm is specifically configured to determine whether an alarm condition is met according to the alarm weight of the abnormal command.

A3, the analysis device as described in A2, the alarm weight of the abnormal command output by the filtering module is obtained in the following manner: by using the overall hit rate of the suspicious rule to the existing command as an independent variable monotonically decreasing function, Obtain the warning weight of the abnormal command hit by the suspicious rule.

A4, the analysis device as described in A2 or A3, the alarm device is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and record the respective corresponding commands of these abnormal commands The alarm weight is comprehensively processed, and it is judged whether the preset alarm condition is satisfied according to the comprehensively processed value.

A5, the analysis device as described in A1, the command analyzer includes:

The classification module is configured to classify the current command received by the centralized data collector according to the training sample set of the existing classification model, obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify the Whether the current command is an abnormal command.

A6, the analysis device as described in A5, the alarm device is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and record the corresponding abnormal commands of these abnormal commands The probability is comprehensively processed, and it is judged whether the preset alarm condition is met according to the value after comprehensive processing.

A7, the analysis device as described in A1, the command analyzer includes:

The filtering module is configured to filter the current command received by the centralized data collector using preset suspicious rules, output the current command hit by the suspicious rule to the classification module, and output the current command hit by the suspicious rule The warning weight of the current command, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command;

The classification module is configured to further classify the current command input from the filtering module according to the training sample set of the existing classification model, obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify the current command Whether it is an abnormal command.

A8, the analysis equipment as described in A5 or A7, described command analyzer also includes:

The learning module is configured to perform machine learning after combining the newly added current command with the existing training sample set, and update the existing training sample set used by the classification module.

A9, the analysis device as described in A7, the alarm device is specifically configured to count all abnormal commands on a certain host computer identified by the command analyzer within an alarm period, and the abnormal command corresponding to each abnormal command The corresponding warning index is obtained by multiplying the probability and the warning weight, and the warning indexes of these abnormal commands are processed comprehensively, and it is judged whether the preset warning condition is satisfied according to the comprehensively processed value.

B10. A system for analyzing commands executed on each host, comprising the analysis device described in any one of B1 to B9 and several host terminals;

The plurality of host terminals are configured to at least transmit the current command on each host and the ID of the host to the centralized data collector through the network.

B11, the system as described in B10, the host terminal includes:

The command sending module is configured to transform the command parser shell of each host, and increase the function of transmitting the host current command and host IP received by the shell to the centralized data collector.

B12. The system as described in B11, further comprising:

The monitor is configured to monitor the deployment of the command sending module in each host, and when it is found that a new host has not deployed the command sending module or when it is found that the command sending module on the host fails, through the The host IP that has not deployed the command sending module or the command sending module fails automatically logs in to the host, and deploys the command sending module for it.

C13. A method for analyzing commands executed on each host, comprising:

Collecting the current commands transmitted by each host through the network and the identifiers of the hosts to which they belong;

Identifying the collected current commands, at least identifying abnormal commands and normal commands;

It is judged whether the alarm condition is satisfied according to the above recognition result, and if it is satisfied, an alarm message indicating that the corresponding host is abnormal is issued.

C14. The method as described in C13, the step of identifying the collected current command includes:

The collected current commands are filtered by preset suspicious rules, the current commands hit by the suspicious rules are identified as abnormal commands, and the alarm weights of the abnormal commands hit by the suspicious rules are obtained. The value is obtained based on the overall hit rate of the suspicious rule to the command;

The step of judging whether the warning condition is met according to the identification result includes: judging whether the warning condition is met according to the warning weight value of the abnormal command.

C15. The method as described in C14, the warning weight of the abnormal order is obtained in the following manner:

The alarm weight of the abnormal command hit by the suspicious rule is obtained by taking the overall hit rate of the suspicious rule on the existing commands as the monotonically decreasing function of the independent variable.

C16. The method as described in C14, the step of judging whether an alarm condition is satisfied according to the recognition result includes:

Count all abnormal commands on a certain host identified in an alarm period, and comprehensively process the corresponding alarm weights of these abnormal commands, and judge whether the preset alarm conditions are met according to the comprehensively processed values.

C17. The method as described in C11, the identifying the collected current command includes:

According to the training sample set of the existing classification model, the current command received is classified to obtain the probability that the current command is a normal command and the probability that it is an abnormal command, and then identify whether the current command is an abnormal command.

C18. The method as described in C17, the step of judging whether an alarm condition is satisfied according to the recognition result includes:

Count all abnormal commands on a certain host identified within an alarm cycle, comprehensively process the corresponding abnormal command probabilities of these abnormal commands, and judge whether the preset alarm conditions are met according to the comprehensively processed values.

C19. The method as described in C13, the identifying the collected current command includes:

Filter the received current command using preset suspicious rules, filter out the current command hit by the suspicious rule, and output the warning weight of the current command hit by the suspicious rule, and the warning weight is based on the The overall hit rate of the order obtained by suspicious rules;

According to the training sample set of the existing classification model, the screened current command is further classified to obtain the probability that the current command is a normal command and the probability that the current command is an abnormal command, and then identify whether the current command is an abnormal command.

C20. The method as described in C17 or C19, further comprising:

Combine the newly added current command with the existing training sample set for machine learning, and update the existing training sample set used for classification.

C21, the method as described in C19, the step of judging whether the alarm condition is met according to the recognition result includes:

Count all abnormal commands on a certain host identified in an alarm period, multiply the abnormal command probability corresponding to each abnormal command by the alarm weight to obtain the corresponding alarm index, and integrate the alarm indices of these abnormal commands Processing, judging whether the preset alarm condition is met according to the comprehensively processed value.

C22. The method as described in C13-21, the step of collecting the current command transmitted by each host through the network and the identification of the host to which it belongs includes:

Modify the command parser shell of each host, add the function of transmitting the host current command and host IP received by the shell to the designated device through the network, and use the function to collect the current command of each host and the host ID of the host .

C23. The method as described in C22, further comprising:

Monitor the events of each host transmitting the current command and its own host ID. When it is found that there is a new host that has not undergone the above-mentioned shell modification or the modification fails, automatically log in to the host through the host IP to deploy the above-mentioned shell modification for it.

Claims (19)

1. An analysis device for analyzing commands executed on each host, comprising: The centralized data recycler is configured to at least collect the current command transmitted by each host terminal through the network and the host identifier to which the current command belongs, wherein the current command is a command currently input on each host terminal; A command analyzer configured to identify the commands currently input on each host terminal collected by the centralized data collector, at least to identify abnormal commands and normal commands; The alarm device is configured to judge whether the alarm condition is satisfied according to the identification result of the command analyzer, and if it is satisfied, send out an alarm message indicating that the corresponding host is abnormal; The command analyzer includes a filtering module configured to filter the current commands collected by the centralized data collector using preset suspicious rules, identify the current commands hit by the suspicious rules as abnormal commands, and output The warning weight of the abnormal command hit by the suspicious rule, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command; The alarm weight of the abnormal command output by the filtering module is obtained in the following manner: by using the overall hit rate of the suspicious rule on existing commands as an independent variable, the abnormal command hit by the suspicious rule is obtained the warning weight; The alarm is specifically configured to determine whether an alarm condition is met according to the alarm weight of the abnormal command. 2. The analysis device according to claim 1, wherein the alarm device is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and record the respective corresponding commands of these abnormal commands The alarm weight is comprehensively processed, and it is judged whether the preset alarm condition is satisfied according to the comprehensively processed value. 3. The analysis device of claim 1, said command analyzer comprising: The classification module is configured to classify the current command received by the centralized data collector according to the training sample set of the existing classification model, obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify the Whether the current command is an abnormal command. 4. The analysis device according to claim 3, wherein the alarm device is specifically configured to count all abnormal commands on a certain host identified by the command analyzer within an alarm period, and record the respective corresponding commands of these abnormal commands The abnormal command probability is comprehensively processed, and it is judged whether the preset alarm condition is met according to the comprehensively processed value. 5. The analysis device of claim 1 , said command analyzer comprising: The filtering module is configured to filter the current command received by the centralized data collector using preset suspicious rules, output the current command hit by the suspicious rule to the classification module, and output the current command hit by the suspicious rule The warning weight of the current command, the warning weight is obtained based on the overall hit rate of the suspicious rule to the command; The classification module is configured to further classify the current command input from the filtering module according to the training sample set of the existing classification model, obtain the probability that the current command is a normal command and the probability of an abnormal command, and then identify the current command Whether it is an abnormal command. 6. The analysis device according to claim 3 or 5, the command analyzer further comprising: The learning module is configured to perform machine learning after combining the newly added current command with the existing training sample set, and update the existing training sample set used by the classification module. 7. The analysis device according to claim 6, wherein the alarm device is specifically configured to count all abnormal commands on a certain host computer identified by the command analyzer within an alarm period, and count each abnormal command corresponding to The corresponding alarm index is obtained by multiplying the abnormal command probability and the alarm weight value, and the alarm index of these abnormal commands is integrated, and it is judged whether the preset alarm condition is met according to the integrated value. 8. A system for analyzing commands executed on each host, comprising the analysis device and several host terminals as claimed in any one of claims 1 to 7; The plurality of host terminals are configured to at least transmit the current command on each host and the ID of the host to the centralized data collector through the network. 9. The system of claim 8, said host terminal comprising: The command sending module is configured to transform the command parser shell of each host, and increase the function of transmitting the host current command and host IP received by the shell to the centralized data collector. 10. The system of claim 9, further comprising: The monitor is configured to monitor the deployment of the command sending module in each host, and when it is found that a new host has not deployed the command sending module or when it is found that the command sending module on the host fails, through the The host IP that has not deployed the command sending module or the command sending module fails automatically logs in to the host, and deploys the command sending module for it. 11. A method for analyzing commands executed on respective hosts, comprising: Collecting the current commands transmitted by the hosts through the network and the identifiers of the hosts to which the current commands belong, wherein the current commands are currently input commands on the terminals of each host; Identifying the collected commands currently input on each host terminal, at least identifying abnormal commands and normal commands; According to the above identification results, it is judged whether the alarm condition is satisfied, and if it is satisfied, an alarm message indicating that the corresponding host is abnormal is issued; The step of identifying the collected current command includes: The collected current commands are filtered by preset suspicious rules, the current commands hit by the suspicious rules are identified as abnormal commands, and the alarm weights of the abnormal commands hit by the suspicious rules are obtained. The value is obtained based on the overall hit rate of the suspicious rule to the command; The warning weight of the abnormal command is obtained in the following way: Obtain the alarm weight of the abnormal command hit by the suspicious rule by using the overall hit rate of the suspicious rule on the existing commands as the monotonically decreasing function of the independent variable; The step of judging whether the warning condition is met according to the identification result includes: judging whether the warning condition is met according to the warning weight value of the abnormal command. 12. The method according to claim 11, said step of judging whether an alarm condition is met according to the recognition result comprises: Count all abnormal commands on a certain host identified in an alarm period, and comprehensively process the corresponding alarm weights of these abnormal commands, and judge whether the preset alarm conditions are met according to the comprehensively processed values. 13. The method according to claim 11, said identifying the collected current command comprises: According to the training sample set of the existing classification model, the current command received is classified to obtain the probability that the current command is a normal command and the probability that it is an abnormal command, and then identify whether the current command is an abnormal command. 14. The method according to claim 13, said step of judging whether an alarm condition is met according to the identification result comprises: Count all abnormal commands on a certain host identified within an alarm cycle, comprehensively process the corresponding abnormal command probabilities of these abnormal commands, and judge whether the preset alarm conditions are met according to the comprehensively processed values. 15. The method according to claim 12, said identifying the collected current command comprises: Filter the received current command using preset suspicious rules, filter out the current command hit by the suspicious rule, and output the warning weight of the current command hit by the suspicious rule, and the warning weight is based on the The overall hit rate of the order obtained by suspicious rules; According to the training sample set of the existing classification model, the screened current command is further classified to obtain the probability that the current command is a normal command and the probability that the current command is an abnormal command, and then identify whether the current command is an abnormal command. 16. The method of claim 13 or 15, further comprising: Combine the newly added current command with the existing training sample set for machine learning, and update the existing training sample set used for classification. 17. The method according to claim 15, wherein the step of judging whether an alarm condition is met according to the recognition result comprises: Count all abnormal commands on a certain host identified in an alarm period, multiply the abnormal command probability corresponding to each abnormal command by the alarm weight to obtain the corresponding alarm index, and integrate the alarm indices of these abnormal commands Processing, judging whether the preset alarm condition is met according to the comprehensively processed value. 18. The method according to any one of claims 11-15 and 17, wherein the step of collecting the current commands transmitted by the hosts through the network and the identifiers of the hosts they belong to comprises: Modify the command parser shell of each host, add the function of transmitting the host current command and host IP received by the shell to the designated device through the network, and use the function to collect the current command of each host and the host ID of the host . 19. The method of claim 18, further comprising: Monitor the events of each host transmitting the current command and its own host ID. When it is found that there is a new host that has not undergone the above-mentioned shell modification or the modification fails, automatically log in to the host through the host IP to deploy the above-mentioned shell modification for it.