CN113704179B - File monitoring method, device, computer system and storage medium - Google Patents
File monitoring method, device, computer system and storage medium Download PDFInfo
- Publication number
- CN113704179B CN113704179B CN202010438627.0A CN202010438627A CN113704179B CN 113704179 B CN113704179 B CN 113704179B CN 202010438627 A CN202010438627 A CN 202010438627A CN 113704179 B CN113704179 B CN 113704179B
- Authority
- CN
- China
- Prior art keywords
- file
- monitoring
- parameter
- external operation
- responding
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 120
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000006870 function Effects 0.000 claims abstract description 86
- 238000012545 processing Methods 0.000 claims abstract description 57
- 230000004044 response Effects 0.000 claims abstract description 29
- 230000008569 process Effects 0.000 claims abstract description 25
- 230000007246 mechanism Effects 0.000 claims abstract description 16
- 230000001960 triggered effect Effects 0.000 claims abstract description 12
- 238000004891 communication Methods 0.000 claims description 17
- 230000015654 memory Effects 0.000 claims description 13
- 238000012217 deletion Methods 0.000 claims description 6
- 230000037430 deletion Effects 0.000 claims description 6
- 238000012806 monitoring device Methods 0.000 abstract description 3
- 238000004590 computer program Methods 0.000 description 11
- 238000010586 diagram Methods 0.000 description 8
- 238000005192 partition Methods 0.000 description 7
- 238000009472 formulation Methods 0.000 description 2
- 230000014509 gene expression Effects 0.000 description 2
- 239000000203 mixture Substances 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 239000000758 substrate Substances 0.000 description 2
- 108010001267 Protein Subunits Proteins 0.000 description 1
- 230000002155 anti-virotic effect Effects 0.000 description 1
- 230000008859 change Effects 0.000 description 1
- 238000004883 computer application Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000004806 packaging method and process Methods 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/13—File access structures, e.g. distributed indices
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/16—File or folder operations, e.g. details of user interfaces specifically adapted to file systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Human Computer Interaction (AREA)
- Debugging And Monitoring (AREA)
Abstract
The disclosure provides a file monitoring method, comprising the following steps: setting operation parameters of a functional module for realizing a file system notification mechanism in a kernel mode, wherein the operation parameters comprise processing functions for responding to file events; monitoring whether the file system responds to external operation within a predetermined period of time by calling a monitoring interface function of the functional module; in response to monitoring that the file system responds to external operation within a predetermined period of time, calling a processing function according to a file event triggered by the response of the file system to the external operation to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and sending the information of the file responding to the external operation to the user-mode application program so that the application program can process the file responding to the external operation. The disclosure also provides a file monitoring device, a computer system and a storage medium.
Description
Technical Field
The present disclosure relates to the field of computer technology, and more particularly, to a file monitoring method, device, computer system, and storage medium.
Background
In computer applications, some applications need to sense the condition of file creation, file closing, etc. operations in a file system in order to process these operated files.
In implementing the disclosed concept, the inventor finds that if a directly used file monitoring notification application is provided in a user mode, when monitoring a file, the designated file or directory can be monitored by calling the file monitoring notification application.
However, when the user-state file monitoring notification application is used for monitoring, explicit setting is generally required for the directory or the file to be monitored, if the current file system has a plurality of files or directories, the directory and the files are designated to be monitored one by one, which is very time-consuming and consumes a large amount of memory, resulting in a large system load.
Disclosure of Invention
In view of this, the present disclosure provides a method, an apparatus, a computer system, and a storage medium for file monitoring.
One aspect of the present disclosure provides a file monitoring method, including: setting operation parameters of a functional module for realizing a file system notification mechanism in a kernel mode, wherein the operation parameters comprise processing functions for responding to file events; monitoring whether the file system responds to external operation within a predetermined period of time by calling a monitoring interface function of the functional module; in response to monitoring that the file system responds to external operation within a predetermined period of time, calling a processing function according to a file event triggered by the response of the file system to the external operation to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and transmitting the information of the file responding to the external operation to the user-mode application program so that the application program processes the file responding to the external operation.
According to an embodiment of the present disclosure, the monitoring interface function includes a first parameter for identifying a first directory corresponding to the first parameter and all files in each level of sub-directory under the first directory, and a second parameter for identifying files in a second directory corresponding to the second parameter.
According to an embodiment of the present disclosure, the method further comprises, after invoking the monitoring interface function: the first parameter is set to the root directory of the file system, and the second parameter is set to null so that whether all files in each level of sub-directory under the root directory of the file system respond to external operations is monitored during the process of calling the monitoring interface function.
According to an embodiment of the present disclosure, the method further comprises, prior to invoking the monitoring interface function of the functional module: calling a registration interface function of the functional module; registering the function module according to the operation parameters; and calling the monitoring interface function of the functional module after the registration is successful.
According to an embodiment of the present disclosure, transmitting information of a file in response to an external operation to a user-mode application program includes: the information of the file in which the operation occurs is transmitted to a communication port number pre-agreed with the application program, so that the application program acquires the information of the file in response to the external operation by listening to the communication port number.
According to an embodiment of the present disclosure, the type of file event includes at least one of: file creation, file opening, file writing, file closing, file deletion, and file renaming.
Another aspect of the present disclosure provides a document monitoring apparatus, including: the first setting module is used for setting the operation parameters of the functional module for realizing the file system notification mechanism in the kernel mode, wherein the operation parameters comprise processing functions for responding to file events; the monitoring module is used for monitoring whether the file system responds to external operation within a preset period by calling the monitoring interface function of the functional module; the processing module is used for responding to the monitoring that the file system responds to the external operation within a preset period of time, and calling a processing function according to a file event triggered by the response of the file system to the external operation so as to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and the sending module is used for sending the information of the file responding to the external operation to the user-state application program so that the application program can process the file responding to the external operation.
According to an embodiment of the present disclosure, the monitoring interface function includes a first parameter for identifying a first directory corresponding to the first parameter and all files in each level of sub-directory under the first directory, and a second parameter for identifying files in a second directory corresponding to the second parameter.
According to an embodiment of the present disclosure, the apparatus further comprises: and the second setting module is used for setting the first parameter as the root directory of the file system and setting the second parameter as null after the monitoring interface function is called, so that whether all files in all levels of subdirectories under the root directory of the file system respond to external operations or not is monitored in the process of calling the monitoring interface function.
Another aspect of the present disclosure provides a computer-readable storage medium storing computer-executable instructions that, when executed, are configured to implement a method as described above.
Another aspect of the present disclosure provides a computer program product comprising computer executable instructions which, when executed, are for implementing a method as described above.
Another aspect of the present disclosure provides a computer system comprising: one or more processors; and a storage means for storing one or more programs, which when executed by the one or more processors cause the one or more processors to implement the methods as described above.
According to the embodiment of the disclosure, setting the operation parameters of a functional module in a kernel mode for realizing a file system notification mechanism, wherein the operation parameters comprise processing functions for responding to file events; monitoring whether the file system responds to external operation within a predetermined period of time by calling a monitoring interface function of the functional module; in response to monitoring that the file system responds to external operation within a preset period, triggering a file event, and calling a processing function to process the file event to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and sending the information of the file responding to the external operation to the user-state application program so as to enable the application program to process the file responding to the external operation. The function module for realizing the file system notification mechanism in the kernel state is used for monitoring the file system, and the monitoring catalogs and the files do not need to be designated one by one, so that the technical problem of high system load caused by designating the monitoring catalogs and the files one by one in the related art is at least partially solved, and the technical effect of small influence on the system load is achieved.
Drawings
The above and other objects, features and advantages of the present disclosure will become more apparent from the following description of embodiments thereof with reference to the accompanying drawings in which:
FIG. 1 schematically illustrates an exemplary system architecture to which the file monitoring methods and apparatus of the present disclosure may be applied;
FIG. 2 schematically illustrates a flow chart of a file monitoring method according to an embodiment of the present disclosure;
FIG. 3 schematically illustrates a flow chart of a method of a processing module registering with a monitoring module according to an embodiment of the disclosure;
FIG. 4 schematically illustrates a block diagram of a file monitoring apparatus according to an embodiment of the disclosure; and
fig. 5 schematically illustrates a block diagram of a computer system suitable for file monitoring methods and apparatus in accordance with embodiments of the present disclosure.
Detailed Description
Hereinafter, embodiments of the present disclosure will be described with reference to the accompanying drawings. It should be understood that the description is only exemplary and is not intended to limit the scope of the present disclosure. In the following detailed description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the embodiments of the present disclosure. It may be evident, however, that one or more embodiments may be practiced without these specific details. In addition, in the following description, descriptions of well-known structures and techniques are omitted so as not to unnecessarily obscure the concepts of the present disclosure.
The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosure. The terms "comprises," "comprising," and/or the like, as used herein, specify the presence of stated features, steps, operations, and/or components, but do not preclude the presence or addition of one or more other features, steps, operations, or components.
All terms (including technical and scientific terms) used herein have the same meaning as commonly understood by one of ordinary skill in the art unless otherwise defined. It should be noted that the terms used herein should be construed to have meanings consistent with the context of the present specification and should not be construed in an idealized or overly formal manner.
Where expressions like at least one of "A, B and C, etc. are used, the expressions should generally be interpreted in accordance with the meaning as commonly understood by those skilled in the art (e.g.," a system having at least one of A, B and C "shall include, but not be limited to, a system having a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.). Where a formulation similar to at least one of "A, B or C, etc." is used, in general such a formulation should be interpreted in accordance with the ordinary understanding of one skilled in the art (e.g. "a system with at least one of A, B or C" would include but not be limited to systems with a alone, B alone, C alone, a and B together, a and C together, B and C together, and/or A, B, C together, etc.).
In implementing the present disclosure, it is found that a directly used file monitoring notification scheme may be provided in a user state. Monitoring schemes that can be directly used in the user mode include inotify (inode notification) and dnotify (directory notification).
The inotify or dnotify running in the user mode needs to be explicitly set for the directory or the file to be monitored when monitoring, otherwise, the directory or the file to be monitored cannot be monitored, and the change of the file or the directory which can only monitor the designated identifier is limited.
Meanwhile, no matter inotify or dnotify can monitor the files of all levels of subdirectories in the appointed catalogs during monitoring, when the corresponding catalogs and the subdirectories thereof need to be monitored simultaneously, all the subdirectories need to be appointed step by step, and the method is limited to be suitable for monitoring a small number of files or catalogs.
Furthermore, the monitoring of the whole file system by using inotify or dnotify requires that all files and directories on the current system are scanned first, and then the monitoring directories and files are designated one by one, which is very troublesome and has low feasibility. Because, if there are a lot of files or directories on the current file system, scanning the entire file system is very time-consuming, and monitoring all the directories and file settings requires a lot of memory and file descriptor resources, there is a high probability that the memory or file descriptor will be insufficient and fail.
Based on this, the embodiment of the disclosure provides a file monitoring method. Setting operation parameters of a functional module in a kernel mode for realizing a file system notification mechanism, wherein the operation parameters comprise processing functions for responding to file events; monitoring whether the file system responds to external operation within a predetermined period of time by calling a monitoring interface function of the functional module; in response to monitoring that the file system responds to external operation within a predetermined period of time, calling a processing function according to a file event triggered by the response of the file system to the external operation to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and transmitting the information of the file responding to the external operation to the user-mode application program so that the application program processes the file responding to the external operation.
FIG. 1 schematically illustrates an exemplary system architecture 100 in which the file monitoring methods and apparatus of embodiments of the present disclosure may be applied. It should be noted that fig. 1 is only an example of a system architecture to which embodiments of the present disclosure may be applied to assist those skilled in the art in understanding the technical content of the present disclosure, but does not mean that embodiments of the present disclosure may not be used in other devices, systems, environments, or scenarios.
As shown in fig. 1, a system architecture 100 according to this embodiment may include a monitoring module 101, a processing module 102, and an application 103. The monitoring module 101 and the processing module 102 may be functional modules in kernel mode of the operating system, and the application 103 may be functional modules in user mode of the operating system.
The kernel of the Linux operating system provides a file system notification mechanism (file system notify, fsnostify for short). The monitoring module 101 may be a functional module for implementing the file system notification mechanism.
The processing module 102 may be a functional module for calling an interface function of the monitoring module to implement file system monitoring, and the processing module 102 may also perform kernel-mode and user-mode communication with the application 103, for example, the processing module 102 may notify the application 103 of the monitoring result.
The application 103 may be software that requires awareness of the file system in response to external operations, e.g., the application 103 may be antivirus software that requires awareness of file creation, writing, closing, renaming, etc. of the full disk file system.
Fig. 2 schematically illustrates a flow chart of a file monitoring method according to an embodiment of the present disclosure.
As shown in fig. 2, the method includes operations S201 to S204.
In operation S201, an operation parameter of a functional module for implementing a file system notification mechanism in a kernel mode is set, wherein the operation parameter includes a processing function for responding to a file event.
According to the embodiment of the present disclosure, an operation parameter for implementing a file system notification mechanism may be preset in the processing module 102, so that an interface function of the monitoring module 101 is called using the operation parameter. The operating parameter may be, for example, a structure in which a processing function for processing a file event may be included. The file event may be a time triggered by the file system in response to an external operation, for example, the file system triggers a corresponding file open event, a file write event, a file rename event, and the like in response to an external operation having a file open, write, rename, and the like.
According to embodiments of the present disclosure, the processing module 102 may call the processing function to process the corresponding file event when the file event triggers. Various file events may also be filtered, e.g., file events triggered by file deletion may be filtered without processing for file deletion events. The processing result of the file event may also be notified to the user-state application program, for example, information such as a path of the file corresponding to the file event may be sent to the application program, so that the application program processes the file.
In operation S202, whether the file system has responded to an external operation within a predetermined period of time is monitored by calling a monitoring interface function of the function module.
According to an embodiment of the present disclosure, the processing module 102 may call a monitoring interface function of the monitoring module 101 to implement monitoring of the file system during operation of the monitoring interface function. For example, the file system may be monitored for file opening, writing, closing, etc. operations.
According to an embodiment of the present disclosure, the monitoring interface function may include a first parameter and a second parameter, the first parameter may be used to identify a first directory corresponding to the first parameter and all files in each level of subdirectory under the first directory, and the second parameter may be used to identify files in a second directory corresponding to the second parameter.
After the operation S202 calls the monitoring interface function, the embodiment of the present disclosure further includes:
the first parameter is set to the root directory of the file system, and the second parameter is set to null so that whether all files in each level of sub-directory under the root directory of the file system respond to external operations is monitored during the process of calling the monitoring interface function.
According to an embodiment of the disclosure, the monitoring interface function may include a first parameter and a second parameter, where the first parameter may be an cnt parameter, the second parameter may be an inode parameter, the cnt parameter may be designated as a mount point of the file system, and the inode parameter may be designated as a corresponding file or directory.
According to the embodiment of the disclosure, the mount point of the file system may be a directory corresponding to each partition of the operating system, specifically, the operating system may include a plurality of partitions, for example, C-disc, D-disc, and so on, where each partition may be mapped to a directory, and the directory may be, for example, a root directory, where the root directory corresponding to each partition is the "mount point" of the partition. The operating system may include multiple partitions, and correspondingly, the operating system may have multiple mount points, and each partition of the operating system may be a separate file system.
An inode, according to embodiments of the present disclosure, is a data structure in the Linux operating system that is essentially a structure that contains some important information about individual files in a file system. When creating a file system in Linux, a large number of inodes will be created at the same time. Each file has a corresponding inode that contains some information about the file.
According to the embodiment of the disclosure, the cnt parameter may be designated as a root directory, and the inode parameter may be designated as null, so that all file files in each level of subdirectory under the root directory may be monitored in the process of calling the monitoring interface function. Compared with the method that only specified directories or files can be monitored in the inotify or dnotify scheme, the embodiment of the disclosure can realize the monitoring of the full-disk files, does not need to scan the whole file system to individually specify the monitored directories and files, and has small influence on the system load.
According to the embodiment of the disclosure, for the case that a plurality of different mounting points exist in an operating system and all the mounting points are under a root directory, all the mounting points are required to call the processing functions to set the mnt parameters and the inode parameters.
In response to monitoring that the file system has responded to the external operation within the predetermined period of time, a processing function is called to obtain information of a file in the file system that responds to the external operation according to a file event triggered by the response of the file system to the external operation, wherein the information of the file that responds to the external operation includes a path of the file and a type of the file event.
According to the embodiment of the present disclosure, when the monitoring module 101 monitors that an operation such as opening, writing, closing occurs on a file in the file system, a corresponding file event is triggered. In response to a file event, the processing module 102 may call a preset processing function, which may be referred to as a callback of the processing function. In the process of calling back the processing function, the file event can be processed, and the path and the file event type of the file with the operations of opening, writing, closing and the like can be obtained.
According to an embodiment of the present disclosure, the file event type may include at least one of: file creation, file opening, file writing, file closing, file deletion, and file renaming.
For example, the type of the file event of the file in which the open operation occurs may be file open, the type of the file event of the file in which the create operation occurs may be file create, the type of the file event of the file in which the write operation occurs may be file write, the type of the file event of the file in which the close operation occurs may be file close, the type of the file event of the file in which the delete operation occurs may be file delete, and the type of the file event of the file in which the rename operation occurs may be file rename.
In operation S204, information of the file in response to the external operation is transmitted to the application program in the user mode so that the application program processes the file in response to the external operation.
According to the embodiment of the disclosure, the path of the file subjected to the operation and the file event type can be sent to the user-mode application program 103, so that the application program 103 processes the file subjected to the operation, for example, the application program 103 kills the file.
According to the embodiment of the disclosure, an interface function of a functional module for realizing a notification mechanism of a file system is called in a kernel state, whether operations such as opening and closing occur on files in the file system are monitored, when the operations occur, a file event is triggered, a file event processing function preset in the kernel state is called in response to the file event, a path and a file event type of the file subjected to the operations can be obtained, and the file path and the event type are notified to an application program in a user state so that the application program can process the file subjected to the operations. The method can realize accurate monitoring of the file system in the kernel state, does not need to designate monitoring catalogues and files one by one, and has little influence on the system load.
According to embodiments of the present disclosure, the execution subject of embodiments of the present disclosure may be the processing module 102. The processing module 102 can be directly integrated with the kernel of the operating system, and adopts a file system notification mechanism provided in the kernel to flexibly and efficiently realize the notification of operations such as file creation, closing, writing, deletion and the like.
Fig. 3 schematically shows a flow chart of a method of registering a processing module with a monitoring module.
As shown in fig. 3, the method may include operations S301 to S303.
In operation S301, a registration interface function of the function module is called.
According to an embodiment of the present disclosure, the processing module 102 may call a registration interface function of the monitoring module 101 to register before calling the monitoring interface function of the monitoring module 101.
In operation S302, a registration is performed with the function module according to the operation parameters.
According to the embodiment of the present disclosure, the operation parameters preset in the processing module 102 for implementing the notification mechanism of the file system may be transferred into the registration interface function, so as to implement the registration of the processing module 102 with the monitoring module 101.
In operation S303, after the registration is successful, the monitoring interface function of the function module is called.
According to an embodiment of the present disclosure, after the processing module 102 performs registration with the monitoring module 101, a monitoring interface function of the monitoring module 101 may be invoked.
According to an embodiment of the present disclosure, operation S204 may include: the information of the file in which the operation occurs is transmitted to a communication port number pre-agreed with the application program, so that the application program acquires the information of the file in response to the external operation by listening to the communication port number.
According to the embodiment of the present disclosure, the processing module 102 may also perform communication in kernel mode and user mode with the application program 103, for example, may perform communication through a predetermined communication port number, where the communication port number may be, for example, a netlink port number.
According to the embodiment of the present disclosure, the processing module 102 may send the path and the file event type of the file where the operation occurs to a predetermined communication port number, and the application 103 in the user state may obtain the path and the file event type of the file where the operation occurs by monitoring the predetermined communication port number, so that the application 103 may perceive operations such as file creation, file closing, file renaming, and the like in the file system.
Fig. 4 schematically illustrates a block diagram of a file monitoring apparatus according to an embodiment of the present disclosure.
As shown in fig. 4, the file monitoring apparatus 400 includes a first setting module 410, a monitoring module 420, a processing module 430, and a transmitting module 440.
A first setting module 410, configured to set an operation parameter of a functional module in a kernel mode for implementing a file system notification mechanism, where the operation parameter includes a processing function for responding to a file event.
The monitoring module 420 is configured to monitor whether the file system responds to an external operation within a predetermined period of time by calling a monitoring interface function of the function module.
A processing module 430, configured to, in response to monitoring that the file system responds to an external operation within a predetermined period of time, call a processing function according to a file event triggered by the response of the file system to the external operation, so as to obtain information of a file in the file system responding to the external operation, where the information of the file responding to the external operation includes a path of the file and a type of the file event; and
and the sending module 440 is configured to send information of the file in response to the external operation to the application program in the user state, so that the application program processes the file in response to the external operation.
According to an embodiment of the disclosure, the monitoring interface function includes a first parameter for identifying a first directory corresponding to the first parameter and all files in each level of sub-directory under the first directory, and a second parameter for identifying files in a second directory corresponding to the second parameter.
According to an embodiment of the present disclosure, the file monitoring apparatus 400 further includes: and a second setting module.
And the second setting module is used for setting the first parameter as the root directory of the file system and setting the second parameter as null after the monitoring interface function is called, so that whether all files in all levels of subdirectories under the root directory of the file system respond to external operations or not is monitored in the process of calling the monitoring interface function.
According to an embodiment of the present disclosure, the monitoring module 420 includes: a first calling unit and a registering unit.
The first calling unit calls a registration interface function of the functional module.
The registration unit is used for registering the function module according to the operation parameters.
According to the embodiment of the present disclosure, the sending module 440 is specifically configured to send information of the file responding to the external operation to the application program in the user mode, so that the application program processes the file responding to the external operation.
Any number of modules, sub-modules, units, sub-units, or at least some of the functionality of any number of the sub-units according to embodiments of the present disclosure may be implemented in one module. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented as split into multiple modules. Any one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be implemented at least in part as a hardware circuit, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system-on-chip, a system-on-substrate, a system-on-package, an Application Specific Integrated Circuit (ASIC), or in any other reasonable manner of hardware or firmware that integrates or encapsulates the circuit, or in any one of or a suitable combination of three of software, hardware, and firmware. Alternatively, one or more of the modules, sub-modules, units, sub-units according to embodiments of the present disclosure may be at least partially implemented as computer program modules, which when executed, may perform the corresponding functions.
For example, any of the first setting module 410, the monitoring module 420, the processing module 430, and the transmitting module 440 may be combined in one module/unit/sub-unit or any of the modules/units/sub-units may be split into a plurality of modules/units/sub-units. Alternatively, at least some of the functionality of one or more of these modules/units/sub-units may be combined with at least some of the functionality of other modules/units/sub-units and implemented in one module/unit/sub-unit. According to embodiments of the present disclosure, at least one of the first setup module 410, the monitor module 420, the processing module 430, and the transmit module 440 may be implemented at least in part as hardware circuitry, such as a Field Programmable Gate Array (FPGA), a Programmable Logic Array (PLA), a system on a chip, a system on a substrate, a system on a package, an Application Specific Integrated Circuit (ASIC), or may be implemented in hardware or firmware in any other reasonable way of integrating or packaging the circuitry, or in any one of or a suitable combination of any of the three implementations of software, hardware, and firmware. Alternatively, at least one of the first setting module 410, the monitoring module 420, the processing module 430 and the transmitting module 440 may be at least partially implemented as a computer program module, which may perform the corresponding functions when being run.
It should be noted that, in the embodiment of the present disclosure, the file monitoring device portion corresponds to the file monitoring method portion in the embodiment of the present disclosure, and the description of the file monitoring device portion refers to the file monitoring method portion specifically, and will not be described herein.
Fig. 5 schematically illustrates a block diagram of a computer system suitable for implementing the above-described method according to an embodiment of the present disclosure. The computer system illustrated in fig. 5 is merely an example, and should not be construed as limiting the functionality and scope of use of embodiments of the present disclosure.
As shown in fig. 5, a computer system 500 according to an embodiment of the present disclosure includes a processor 501, which can perform various appropriate actions and processes according to a program stored in a Read Only Memory (ROM) 502 or a program loaded from a storage section 508 into a Random Access Memory (RAM) 503. The processor 501 may include, for example, a general purpose microprocessor (e.g., a CPU), an instruction set processor and/or an associated chipset and/or a special purpose microprocessor (e.g., an Application Specific Integrated Circuit (ASIC)), or the like. The processor 501 may also include on-board memory for caching purposes. The processor 501 may comprise a single processing unit or a plurality of processing units for performing different actions of the method flows according to embodiments of the disclosure.
In the RAM503, various programs and data required for the operation of the system 500 are stored. The processor 501, ROM502, and RAM503 are connected to each other by a bus 504. The processor 501 performs various operations of the method flow according to the embodiments of the present disclosure by executing programs in the ROM502 and/or the RAM 503. Note that the program may be stored in one or more memories other than the ROM502 and the RAM 503. The processor 501 may also perform various operations of the method flow according to embodiments of the present disclosure by executing programs stored in the one or more memories.
According to an embodiment of the present disclosure, the system 500 may further include an input/output (I/O) interface 505, the input/output (I/O) interface 505 also being connected to the bus 504. The system 500 may also include one or more of the following components connected to the I/O interface 505: an input section 506 including a keyboard, a mouse, and the like; an output portion 507 including a Cathode Ray Tube (CRT), a Liquid Crystal Display (LCD), and the like, and a speaker, and the like; a storage portion 508 including a hard disk and the like; and a communication section 509 including a network interface card such as a LAN card, a modem, or the like. The communication section 509 performs communication processing via a network such as the internet. The drive 510 is also connected to the I/O interface 505 as needed. A removable medium 511 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 510 as needed so that a computer program read therefrom is mounted into the storage section 508 as needed.
According to embodiments of the present disclosure, the method flow according to embodiments of the present disclosure may be implemented as a computer software program. For example, embodiments of the present disclosure include a computer program product comprising a computer program embodied on a computer readable storage medium, the computer program comprising program code for performing the method shown in the flowcharts. In such an embodiment, the computer program may be downloaded and installed from a network via the communication portion 509, and/or installed from the removable media 511. The above-described functions defined in the system of the embodiments of the present disclosure are performed when the computer program is executed by the processor 501. The systems, devices, apparatus, modules, units, etc. described above may be implemented by computer program modules according to embodiments of the disclosure.
The present disclosure also provides a computer-readable storage medium that may be embodied in the apparatus/device/system described in the above embodiments; or may exist alone without being assembled into the apparatus/device/system. The computer-readable storage medium carries one or more programs which, when executed, implement methods in accordance with embodiments of the present disclosure.
According to embodiments of the present disclosure, the computer-readable storage medium may be a non-volatile computer-readable storage medium. Examples may include, but are not limited to: a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing. In the context of this disclosure, a computer-readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
For example, according to embodiments of the present disclosure, the computer-readable storage medium may include ROM502 and/or RAM503 and/or one or more memories other than ROM502 and RAM503 described above.
The flowcharts and block diagrams in the figures illustrate the architecture, functionality, and operation of possible implementations of systems, methods and computer program products according to various embodiments of the present disclosure. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of code, which comprises one or more executable instructions for implementing the specified logical function(s). It should also be noted that, in some alternative implementations, the functions noted in the block may occur out of the order noted in the figures. For example, two blocks shown in succession may, in fact, be executed substantially concurrently, or the blocks may sometimes be executed in the reverse order, depending upon the functionality involved. It will also be noted that each block of the block diagrams or flowchart illustration, and combinations of blocks in the block diagrams or flowchart illustration, can be implemented by special purpose hardware-based systems which perform the specified functions or acts, or combinations of special purpose hardware and computer instructions. Those skilled in the art will appreciate that the features recited in the various embodiments of the disclosure and/or in the claims may be combined in various combinations and/or combinations, even if such combinations or combinations are not explicitly recited in the disclosure. In particular, the features recited in the various embodiments of the present disclosure and/or the claims may be variously combined and/or combined without departing from the spirit and teachings of the present disclosure. All such combinations and/or combinations fall within the scope of the present disclosure.
The embodiments of the present disclosure are described above. However, these examples are for illustrative purposes only and are not intended to limit the scope of the present disclosure. Although the embodiments are described above separately, this does not mean that the measures in the embodiments cannot be used advantageously in combination. The scope of the disclosure is defined by the appended claims and equivalents thereof. Various alternatives and modifications can be made by those skilled in the art without departing from the scope of the disclosure, and such alternatives and modifications are intended to fall within the scope of the disclosure.
Claims (7)
1. A method of file monitoring, comprising:
setting operation parameters of a functional module for realizing a file system notification mechanism in a kernel mode, wherein the operation parameters comprise processing functions for responding to file events;
monitoring whether the file system responds to an external operation within a predetermined period of time by calling a monitoring interface function of the functional module;
in response to monitoring that the file system responds to external operation within a preset period, calling the processing function according to a file event triggered by the response of the file system to the external operation so as to obtain information of a file responding to the external operation in the file system, wherein the information of the file responding to the external operation comprises a path of the file and a type of the file event; and
transmitting the information of the file responding to the external operation to a user-state application program so that the application program processes the file responding to the external operation;
the monitoring interface function comprises a first parameter and a second parameter, wherein the first parameter is used for identifying a first catalogue corresponding to the first parameter and all files in each level of subdirectory under the first catalogue, and the second parameter is used for identifying files in a second catalogue corresponding to the second parameter;
after the monitoring interface function is called, the method further comprises:
setting the first parameter as a root directory of a file system, and setting the second parameter as null, so that whether all files in all levels of subdirectories below the root directory of the file system respond to external operations is monitored in the process of calling the monitoring interface function.
2. The method of claim 1, further comprising, prior to invoking the monitoring interface function of the functional module:
calling a registration interface function of the functional module;
registering with the functional module according to the operation parameters; and
and after the registration is successful, calling a monitoring interface function of the functional module.
3. The method of claim 1, wherein the transmitting the information of the file in response to the external operation to the user-mode application program comprises:
and sending the information of the file subjected to the operation to a communication port number pre-agreed with the application program, so that the application program acquires the information of the file responding to the external operation by monitoring the communication port number.
4. The method of claim 1, wherein the type of file event comprises at least one of:
file creation, file opening, file writing, file closing, file deletion, and file renaming.
5. A document monitoring apparatus comprising:
the first setting module is used for setting the operation parameters of the functional module for realizing the file system notification mechanism in the kernel mode, wherein the operation parameters comprise processing functions for responding to file events;
the monitoring module is used for monitoring whether the file system responds to external operation within a preset period of time by calling a monitoring interface function of the functional module;
a processing module, configured to, in response to monitoring that the file system responds to an external operation within a predetermined period of time, call the processing function according to a file event triggered by the response of the file system to the external operation, so as to obtain information of a file in the file system responding to the external operation, where the information of the file responding to the external operation includes a path of the file and a type of the file event; and
the sending module is used for sending the information of the file responding to the external operation to the user-state application program so that the application program can process the file responding to the external operation;
the monitoring interface function comprises a first parameter and a second parameter, wherein the first parameter is used for identifying a first catalogue corresponding to the first parameter and all files in each level of subdirectory under the first catalogue, and the second parameter is used for identifying files in a second catalogue corresponding to the second parameter;
the apparatus further comprises:
and the second setting module is used for setting the first parameter as the root directory of the file system and setting the second parameter as null after the monitoring interface function is called, so that whether all files in all levels of subdirectories under the root directory of the file system respond to external operations or not is monitored in the process of calling the monitoring interface function.
6. A computer system, comprising:
one or more processors;
a memory for storing one or more programs,
wherein the one or more programs, when executed by the one or more processors, cause the one or more processors to implement the method of any of claims 1-4.
7. A computer readable storage medium having stored thereon executable instructions which when executed by a processor cause the processor to implement the method of any of claims 1 to 4.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010438627.0A CN113704179B (en) | 2020-05-21 | 2020-05-21 | File monitoring method, device, computer system and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010438627.0A CN113704179B (en) | 2020-05-21 | 2020-05-21 | File monitoring method, device, computer system and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113704179A CN113704179A (en) | 2021-11-26 |
| CN113704179B true CN113704179B (en) | 2023-12-05 |
Family
ID=78645937
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010438627.0A Active CN113704179B (en) | 2020-05-21 | 2020-05-21 | File monitoring method, device, computer system and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113704179B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN115840938B (en) * | 2023-02-21 | 2023-05-09 | 山东捷讯通信技术有限公司 | File monitoring method and device |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
| CN104866778A (en) * | 2015-01-30 | 2015-08-26 | 武汉华工安鼎信息技术有限责任公司 | Document safety access control method and device based on Linux kernel |
| CN109388538A (en) * | 2018-09-13 | 2019-02-26 | 西安交通大学 | A kind of file operation behavior monitoring method and device based on kernel |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8201029B2 (en) * | 2008-01-31 | 2012-06-12 | International Business Machines Corporation | Method and apparatus for operating system event notification mechanism using file system interface |
-
2020
- 2020-05-21 CN CN202010438627.0A patent/CN113704179B/en active Active
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103399812A (en) * | 2013-07-22 | 2013-11-20 | 西安电子科技大学 | Magnetic disc file operation monitoring system and monitoring method based on Xen hardware virtualization |
| CN104866778A (en) * | 2015-01-30 | 2015-08-26 | 武汉华工安鼎信息技术有限责任公司 | Document safety access control method and device based on Linux kernel |
| CN109388538A (en) * | 2018-09-13 | 2019-02-26 | 西安交通大学 | A kind of file operation behavior monitoring method and device based on kernel |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113704179A (en) | 2021-11-26 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8448165B1 (en) | System and method for logging operations of virtual machines | |
| US9547346B2 (en) | Context agent injection using virtual machine introspection | |
| US8904159B2 (en) | Methods and systems for enabling control to a hypervisor in a cloud computing environment | |
| US20150006487A1 (en) | Method and apparatus for checkpointing and restarting container status | |
| US8375200B2 (en) | Embedded device and file change notification method of the embedded device | |
| US10546144B2 (en) | Dynamically excluding sensitive information from system snapshot | |
| US20200387611A1 (en) | Manageability engine and automatic firmware validation | |
| US9904565B2 (en) | Subsequent operation input reduction systems and methods for virtual machines | |
| US11423186B2 (en) | Verified inter-module communications interface | |
| US10691468B2 (en) | Techniques of retrieving bios data from BMC | |
| US10459742B2 (en) | System and method for operating system initiated firmware update via UEFI applications | |
| US10460111B2 (en) | System and method to isolate host and system management in an information handling system | |
| US20160253501A1 (en) | Method for Detecting a Unified Extensible Firmware Interface Protocol Reload Attack and System Therefor | |
| WO2015067189A1 (en) | Method and apparatus for installing application | |
| CN113704179B (en) | File monitoring method, device, computer system and storage medium | |
| CN114595038A (en) | Data processing method, computing device and computer storage medium | |
| CN109446847B (en) | Configuration method of dual-system peripheral resources, terminal equipment and storage medium | |
| US20160314045A1 (en) | Managing a Computing System Crash | |
| CN111737088B (en) | Log acquisition method and device, electronic equipment and medium | |
| CN109784041B (en) | Event processing method and device, storage medium and electronic device | |
| US8255642B2 (en) | Automatic detection of stress condition | |
| CN109298974B (en) | System control method, device, computer and computer readable storage medium | |
| US11811803B2 (en) | Method of threat detection | |
| CN115543759A (en) | Log lookup method and device for operating system, electronic device and storage medium | |
| US20210232677A1 (en) | Automated Detection of User Device Security Risks Related to Process Threads and Corresponding Activity |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| CB02 | Change of applicant information | ||
| CB02 | Change of applicant information |
Address after: 100044 2nd floor, building 1, yard 26, Xizhimenwai South Road, Xicheng District, Beijing Applicant after: Qianxin Wangshen information technology (Beijing) Co.,Ltd. Applicant after: QAX Technology Group Inc. Address before: 100097 No. 202, 203, 205, 206, 207, 208, 2nd floor, block D, No. 51, Kunming Hunan Road, Haidian District, Beijing Applicant before: LEGENDSEC INFORMATION TECHNOLOGY (BEIJING) Inc. Applicant before: QAX Technology Group Inc. |
|
| GR01 | Patent grant | ||
| GR01 | Patent grant |