CN117251419A - File monitoring method and device, electronic equipment and storage medium - Google Patents
File monitoring method and device, electronic equipment and storage medium Download PDFInfo
- Publication number
- CN117251419A CN117251419A CN202310891260.1A CN202310891260A CN117251419A CN 117251419 A CN117251419 A CN 117251419A CN 202310891260 A CN202310891260 A CN 202310891260A CN 117251419 A CN117251419 A CN 117251419A
- Authority
- CN
- China
- Prior art keywords
- file
- monitoring
- packet filter
- target
- kernel
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000012544 monitoring process Methods 0.000 title claims abstract description 233
- 238000000034 method Methods 0.000 title claims abstract description 65
- 238000004590 computer program Methods 0.000 claims description 16
- 238000012806 monitoring device Methods 0.000 claims description 6
- 238000012216 screening Methods 0.000 claims description 6
- 238000004891 communication Methods 0.000 description 8
- 238000012545 processing Methods 0.000 description 8
- 238000010586 diagram Methods 0.000 description 5
- 230000006870 function Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000003287 optical effect Effects 0.000 description 3
- 238000001914 filtration Methods 0.000 description 2
- 230000003993 interaction Effects 0.000 description 2
- 238000012986 modification Methods 0.000 description 2
- 230000004048 modification Effects 0.000 description 2
- 239000002699 waste material Substances 0.000 description 2
- 238000004458 analytical method Methods 0.000 description 1
- 238000003491 array Methods 0.000 description 1
- 238000013473 artificial intelligence Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 230000007547 defect Effects 0.000 description 1
- 238000013461 design Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 239000011521 glass Substances 0.000 description 1
- 239000004973 liquid crystal related substance Substances 0.000 description 1
- 238000010801 machine learning Methods 0.000 description 1
- 239000000203 mixture Substances 0.000 description 1
- 239000013307 optical fiber Substances 0.000 description 1
- 239000004065 semiconductor Substances 0.000 description 1
- 230000001953 sensory effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 230000000007 visual effect Effects 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/10—File systems; File servers
- G06F16/17—Details of further file system functions
- G06F16/1734—Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/46—Multiprogramming arrangements
- G06F9/50—Allocation of resources, e.g. of the central processing unit [CPU]
- G06F9/5005—Allocation of resources, e.g. of the central processing unit [CPU] to service a request
- G06F9/5011—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals
- G06F9/5016—Allocation of resources, e.g. of the central processing unit [CPU] to service a request the resources being hardware resources other than CPUs, Servers and Terminals the resource being the memory
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Data Mining & Analysis (AREA)
- Databases & Information Systems (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a file monitoring method, a device, electronic equipment and a storage medium. The method includes determining a kernel extended berkeley packet filter program; the core expansion type Berkeley packet filter program is generated by loading a target expansion type Berkeley packet filter program into a system core; monitoring operation information in a target monitoring file according to a kernel extension type Berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation; if the kernel expansion type Berkeley packet filter program monitors to obtain the operation information of the target monitoring file, the operation information is stored into the memory space; the kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file. By adopting the technical scheme, the file monitoring efficiency is improved, and the files in the system kernel are also monitored.
Description
Technical Field
The present invention relates to the field of file monitoring technologies, and in particular, to a method and apparatus for monitoring a file, an electronic device, and a storage medium.
Background
In many businesses or institutions, the usage rights of a large number of files are well defined, but operations beyond the usage rights of users may occur, which may cause damage to the business or institution, and thus require monitoring of some files in the computer.
However, conventional monitoring tools often run in the user space and use a polling method to monitor the file, which results in problems of low monitoring efficiency, serious hysteresis and limited monitoring of the file. Therefore, there is an urgent need for a method of monitoring files in real time that can maintain high efficiency.
Disclosure of Invention
The invention provides a file monitoring method, a device, electronic equipment and a storage medium, which are used for solving the problems that the file monitoring efficiency is low and partial files cannot be monitored.
According to an aspect of the present invention, there is provided a file monitoring method, including:
determining a kernel extended berkeley packet filter program; the core expansion type Berkeley packet filter program is generated by loading a target expansion type Berkeley packet filter program into a system core;
monitoring operation information in a target monitoring file according to a kernel extension type Berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation;
if the kernel expansion type Berkeley packet filter program monitors to obtain the operation information of the target monitoring file, the operation information is stored into the memory space; the kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file.
According to another aspect of the present invention, there is provided a document monitoring apparatus comprising:
the kernel program determining module is used for determining a kernel expansion type Berkeley packet filter program; the core expansion type Berkeley packet filter program is generated by loading a target expansion type Berkeley packet filter program into a system core;
the operation information monitoring module is used for monitoring the operation information in the target monitoring file according to the kernel extension type Berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation;
the operation information storage module is used for storing the operation information into the memory space if the kernel expansion type Berkeley packet filter program monitors the operation information of the target monitoring file; the kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file.
According to another aspect of the present invention, there is provided an electronic apparatus including:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the file monitoring method of any one of the embodiments of the present invention.
According to another aspect of the present invention, there is provided a computer readable storage medium storing computer instructions for causing a processor to execute a file monitoring method according to any of the embodiments of the present invention.
By adopting the technical scheme of the embodiment, after the target extended type Berkeley packet filter program is obtained, the target extended type Berkeley packet filter program can be operated, so that the extended type Berkeley packet filter program can enter a system kernel to operate, and the kernel extended type Berkeley packet filter program operated in the system kernel is obtained. By monitoring the operation information in the target monitoring file according to the kernel-extended berkeley packet filter program, the files such as system files which are forbidden to be accessed by a user can be monitored when the files are monitored. If the operation information of the target monitoring file is obtained through monitoring by the kernel extension type Berkeley packet filter program, the operation information is stored in the memory space, so that the monitoring efficiency of the target monitoring file is higher and the file with operation in the system kernel can be monitored when the target monitoring file is monitored. Through the operation of the steps, the file monitoring efficiency can be improved, and the files in the system kernel can be monitored.
It should be understood that the description in this section is not intended to identify key or critical features of the embodiments of the invention or to delineate the scope of the invention. Other features of the present invention will become apparent from the description that follows.
Drawings
In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings required for the description of the embodiments will be briefly described below, and it is apparent that the drawings in the following description are only some embodiments of the present invention, and other drawings may be obtained according to these drawings without inventive effort for a person skilled in the art.
FIG. 1 is a flow chart of a method for monitoring files according to a first embodiment of the present invention;
FIG. 2 is a flowchart of another method for monitoring files according to a second embodiment of the present invention;
fig. 3 is a schematic structural diagram of a file monitoring apparatus according to a third embodiment of the present invention;
fig. 4 is a schematic structural diagram of an electronic device implementing a file monitoring method according to an embodiment of the present invention.
Detailed Description
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
It should be noted that the terms "first," "second," and the like in the description and the claims of the present invention and the above figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that the embodiments of the invention described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
Example 1
Fig. 1 is a flowchart of a file monitoring method according to an embodiment of the present invention, where the method may be applied to real-time monitoring of a file to ensure security of a system and data of the file, and the method may be performed by a file monitoring device, where the file monitoring device may be implemented in hardware and/or software, and where the file monitoring device may be configured in an electronic device having data processing capabilities. As shown in fig. 1, the method includes:
s110, determining a kernel expansion type Berkeley packet filter program.
The kernel expanded berkeley package filter program is generated by loading the target expanded berkeley package filter program into the system kernel.
The extended berkeley packet filter program (Extended Berkeley Packet Filter, eBPF) is a packet filtering technique extended from the berkeley packet filter program (Berkeley Packet Filter, BPF) in which single packet filtering events of the berkeley packet filter program are gradually extended to kernel state functions, user too functions, trace points, performance events, security controls, etc.
The kernel extended berkeley packet filter program may be an extended berkeley packet filter program running in the system kernel.
After the target expanded berkeley packet filter program is obtained, the target expanded berkeley packet filter program can be operated, so that the expanded berkeley packet filter program can enter a system kernel to operate, and the kernel expanded berkeley packet filter program operating in the system kernel is obtained.
In one alternative, determining the kernel extended berkeley packet filter program may comprise the steps A1-A2:
and A1, compiling a target extension type Berkeley packet filter program to obtain a target byte code instruction.
And step A2, converting the target byte code instruction and loading the target byte code instruction into a system kernel to obtain a kernel expansion type Berkeley packet filter program.
The target bytecode instruction may be a compiled code representing an opcode and operand composition of the target extended berkeley pack filter.
After the target extended berkeley packet filter program is obtained, the target extended berkeley packet filter program needs to be loaded into the kernel to run, but the target extended berkeley packet filter program cannot directly enter the kernel, so that the target extended berkeley packet filter program needs to be compiled so as to be capable of entering target byte code instructions of the kernel.
And loading the target byte code instruction into a system kernel to obtain the kernel expansion type Berkeley packet filter program.
In one alternative, after determining the kernel extended berkeley packet filter procedure, the method further comprises the steps B1-B2:
and step B1, according to the kernel expansion type Berkeley packet filter program, sending a memory space request to the CPU.
And B2, analyzing the received memory space request by the CPU, and dividing the corresponding memory space according to the memory space request.
The memory space request may be a request to the CPU to divide in memory space.
After obtaining the kernel-extended berkeley packet filter program, the kernel-extended berkeley packet filter program sends a memory space request to the CPU for requesting the CPU to divide a portion of the memory space for the kernel-extended berkeley packet filter program.
After receiving the memory space request sent by the kernel extension type berkeley packet filter program, the CPU analyzes the received memory space request. Therefore, the dividing position of the memory space required by the kernel expansion type Berkeley packet filter program is determined, and the corresponding memory space is divided according to the analysis result.
S120, monitoring operation information in the target monitoring file according to the kernel extension type Berkeley packet filter program.
The operation information at least comprises identification information of file reading operation, file changing operation, file renaming operation and file deleting operation.
The target monitoring file may be a file that the user needs to monitor. The operation information may be an operation identifier that appears when the file is operated.
Because the operation information of the corresponding file can appear in the kernel when the user operates the file. Therefore, after the kernel extension type Berkeley packet filter program is obtained, the kernel extension type Berkeley packet filter program can be operated in the kernel to screen the operation information of each file in the kernel, so that the operation information of the target monitoring file is monitored.
By monitoring the operation information in the target monitoring file according to the kernel-extended berkeley packet filter program, the files such as system files which are forbidden to be accessed by a user can be monitored when the files are monitored.
In an alternative, the monitoring of the operation information in the target monitoring file according to the kernel-extended berkeley packet filter program may comprise the steps of C1-C2:
and step C1, intercepting each operation file in the system through a kernel expansion type Berkeley packet filter program.
And C2, screening the intercepted operation files according to the operation information of the target monitoring files.
The operation file may be a file in which an operation occurs within the system. The operations at least comprise a file reading operation, a file changing operation, a file renaming operation, a file deleting operation and the like.
After the kernel-extended berkeley packet filter program is obtained, the kernel-extended berkeley packet filter program runs in the kernel and intercepts various operation files in the system.
And screening each operation file according to the operation information of the target monitoring file, and if the operation information of the target monitoring file is not screened, releasing the operation file.
S130, if the kernel expansion type Berkeley packet filter program monitors the operation information of the target monitoring file, the operation information is stored in the memory space.
The kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file.
When the operation information in the target monitoring file is monitored according to the kernel-extended berkeley packet filter program, if the operation information of the target monitoring file is obtained through the kernel-extended berkeley packet filter program, the user or the system is indicated to operate the target monitoring file, and at the moment, the kernel-extended berkeley packet filter program copies the operation information of the target monitoring file and stores the operation information into the memory space.
If the operation information of the target monitoring file is obtained through monitoring by the kernel extension type Berkeley packet filter program, the operation information is stored in the memory space, so that the monitoring efficiency of the target monitoring file is higher and the file with operation in the system kernel can be monitored when the target monitoring file is monitored.
In an alternative, after storing the operation information in the memory space if the kernel extended berkeley packet filter program monitors the operation information of the target monitoring file, the method further includes steps D1-D2:
and D1, transmitting the operation information in the memory space to a database and deleting the operation information in the memory space.
And D2, if the operation information contains the target identification information, sending target alarm information to the user.
The target identification information may be information identifying the type of operation that the target monitoring file is to perform, including but not limited to, modify file operations, read file operations, rename operations, and the like. The target alert information may be information for informing the user that the target monitoring file has been operated.
In order to improve the efficiency of monitoring the target monitoring file, after the operation information is obtained and stored in the memory space, the operation information is sent to the database, and the operation information in the memory space is deleted, so that the problem that the system runs out due to the fact that the memory space is exhausted as the target monitoring file is monitored for a long time is avoided in the memory space.
When the operation information contains the target identification information, the operation that the user wants to monitor the target monitoring file is indicated to occur, and at the moment, the target alarm information is sent to the user so as to inform the user that the target monitoring file has the operation that the user needs to monitor.
By adopting the technical scheme of the embodiment, after the target extended type Berkeley packet filter program is obtained, the target extended type Berkeley packet filter program can be operated, so that the extended type Berkeley packet filter program can enter a system kernel to operate, and the kernel extended type Berkeley packet filter program operated in the system kernel is obtained. By monitoring the operation information in the target monitoring file according to the kernel-extended berkeley packet filter program, the files such as system files which are forbidden to be accessed by a user can be monitored when the files are monitored. If the operation information of the target monitoring file is obtained through monitoring by the kernel extension type Berkeley packet filter program, the operation information is stored in the memory space, so that the monitoring efficiency of the target monitoring file is higher and the file with operation in the system kernel can be monitored when the target monitoring file is monitored. Through the operation of the steps, the file monitoring efficiency can be improved, and the files in the system kernel can be monitored.
Example two
Fig. 2 is a flowchart of another method for monitoring files according to an embodiment of the present invention, where the process of determining the kernel extended berkeley packet filter procedure according to the foregoing embodiment is further optimized based on the foregoing embodiment, and the present embodiment may be combined with each of the alternatives in one or more embodiments. As shown in fig. 2, the file monitoring method of the present embodiment may include the following steps:
s210, generating candidate monitoring information and a candidate expansion type Berkeley packet filter program corresponding to the candidate monitoring information according to the historical monitoring requirements.
The monitoring requirements may be requirement information of the file and the operation of the corresponding file that the user wishes to monitor. The candidate monitoring information may be monitoring information that the user currently wishes to monitor. The candidate expanded berkeley packet filter procedure may be an expanded berkeley packet filter procedure generated based on the candidate monitoring information. The historical monitoring requirements can be based on monitoring requirements during past historical work.
When the user determines the candidate expanded berkeley packet filter program, the candidate monitoring information and the candidate expanded berkeley packet filter program corresponding to the candidate monitoring information can be screened from the past historical monitoring requirements.
By generating the candidate monitoring information and the candidate expanded berkeley packet filter program corresponding to the candidate monitoring information according to the historical monitoring requirements, a user can screen from the previous historical monitoring requirements when the candidate monitoring information and the candidate expanded berkeley packet filter program corresponding to the candidate monitoring information are generated, so that the problem of system computing resource waste caused by repeated generation of the expanded berkeley packet filter program for the same monitoring requirement is avoided.
S220, determining a target monitoring file from the candidate monitoring information according to the target monitoring requirement.
S230, determining a target extended type Berkeley packet filter program from the candidate extended type Berkeley packet filter programs according to the target monitoring file.
The target monitoring requirement may be the operation of the file and corresponding file that the user wishes to monitor at this time.
After the user determines the target monitoring requirement, the target monitoring file can be screened from the candidate monitoring information, and the target monitoring file is determined.
And screening from the candidate expanded berkeley packet filter programs according to the target monitoring file to obtain the target expanded berkeley packet filter program corresponding to the target monitoring file.
According to the target monitoring requirement, the target monitoring file is determined from the candidate monitoring information, and the target extension type Berkeley packet filter program is determined from the candidate extension type Berkeley packet filter program according to the target monitoring file, so that when the target monitoring file and the target extension type Berkeley packet filter program are determined, a user can directly obtain the target monitoring file and the target extension type Berkeley packet filter program required in the target monitoring requirement through the previous monitoring file and the extension type Berkeley packet filter program corresponding to the monitoring file, and the efficiency of generating the target monitoring file and the target extension type Berkeley packet filter program is improved.
Optionally, before determining the target expanded berkeley packet filter procedure from the candidate expanded berkeley packet filter procedures according to the target monitoring file, the method further comprises:
if the historical monitoring demand does not contain the target monitoring demand, generating a target expanded type Berkeley packet filter program corresponding to the target monitoring demand according to the target monitoring demand, and storing the target expanded type Berkeley packet filter program into the historical monitoring demand.
Although the method for acquiring the target monitoring requirement and the target extended berkeley packet filter program by using the history monitoring requirement can improve the operation efficiency of the system, the target monitoring requirement is required to be fully contained in the history monitoring requirement, so that the method can be used for acquiring the target monitoring requirement and the target extended berkeley packet filter program.
However, there is a possibility that the historical monitoring demand does not include the target monitoring demand, so if the historical monitoring demand does not include the target monitoring demand, a target extended type berkeley packet filter program corresponding to the target monitoring demand is generated according to the target monitoring demand, and the target extended type berkeley packet filter program is stored in the historical monitoring demand, so that the historical monitoring demand is expanded, and further the possibility that the historical monitoring demand does not include the next target monitoring demand when the next monitoring target detection file is monitored is reduced.
S240, determining a kernel expansion type Berkeley packet filter program.
The kernel expanded berkeley package filter program is generated by loading the target expanded berkeley package filter program into the system kernel.
S250, monitoring operation information in the target monitoring file according to the kernel extension type Berkeley packet filter program.
The operation information at least comprises a file reading operation, a file changing operation, a file renaming operation and a file deleting operation.
S260, if the kernel expansion type Berkeley packet filter program monitors the operation information of the target monitoring file, the operation information is stored into the memory space.
The kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file.
By adopting the technical scheme of the embodiment of the invention, the candidate monitoring information and the candidate expanded type Berkeley packet filter program corresponding to the candidate monitoring information are generated according to the historical monitoring requirements, so that a user can screen from the previous historical monitoring requirements when the candidate monitoring information and the candidate expanded type Berkeley packet filter program corresponding to the candidate monitoring information are generated, and the problem of system computing resource waste is avoided. According to the target monitoring requirement, the target monitoring file is determined from the candidate monitoring information, and the target extension type Berkeley packet filter program is determined from the candidate extension type Berkeley packet filter program according to the target monitoring file, so that when the target monitoring file and the target extension type Berkeley packet filter program are determined, a user can directly obtain the target monitoring file and the target extension type Berkeley packet filter program required in the target monitoring requirement through the previous monitoring file and the extension type Berkeley packet filter program corresponding to the monitoring file, and the efficiency of generating the target monitoring file and the target extension type Berkeley packet filter program is improved.
Example III
Fig. 3 is a block diagram of a file monitoring device according to an embodiment of the present invention, where the embodiment is applicable to a situation of monitoring a file in real time and ensuring security of system and file data. The file monitoring apparatus may be implemented in hardware and/or software, and the file monitoring apparatus may be configured in an electronic device having data processing capabilities. As shown in fig. 3, the file monitoring apparatus of the present embodiment may include: a kernel determination module 310, an operation information monitoring module 320, and an operation information storage module 330. Wherein:
a kernel program determination module 310 for determining a kernel extended berkeley packet filter program; the core expansion type Berkeley packet filter program is generated by loading a target expansion type Berkeley packet filter program into a system core;
the operation information monitoring module 320 is configured to monitor operation information in the target monitoring file according to the kernel-extended berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation;
an operation information storage module 330, configured to store the operation information into the memory space if the kernel-extended berkeley packet filter program monitors the operation information of the target monitoring file; the kernel is a system kernel of a system for running the target monitoring file; the memory space is the memory space of the system running the target monitoring file.
Based on the above embodiment, optionally, the kernel determining module 310 includes:
the program compiling unit is used for compiling the target extension type Berkeley packet filter program to obtain a target byte code instruction;
and the program loading unit is used for converting the target byte code instruction and loading the target byte code instruction into a system kernel to obtain a kernel expansion type Berkeley packet filter program.
Based on the above embodiment, optionally, the operation information monitoring module 320 includes:
the operation file interception unit is used for intercepting each operation file in the system through a kernel-extended Berkeley packet filter program;
and the operation file screening unit is used for screening the intercepted operation files according to the operation information of the target monitoring files.
Optionally, on the basis of the above embodiment, after operating the information storage module 330, the apparatus further includes:
the operation information deleting module is used for sending the operation information in the memory space to the database and deleting the operation information in the memory space;
and the alarm information sending module is used for sending target alarm information to the user if the operation information contains the target identification information.
On the basis of the above embodiment, optionally, after the kernel determining module 310, the apparatus further includes:
the memory space request module is used for sending a memory space request to the CPU according to the kernel expansion type Berkeley packet filter program;
the memory space dividing module is used for analyzing the received memory space request through the CPU and dividing the corresponding memory space according to the memory space request.
On the basis of the above embodiment, optionally, after the kernel determining module 310, the apparatus further includes:
the candidate program generating module is used for generating candidate monitoring information and candidate expanded type Berkeley packet filter programs corresponding to the candidate monitoring information according to the historical monitoring requirements;
the monitoring file determining module is used for determining a target monitoring file from the candidate monitoring information according to the target monitoring requirement;
and the target program generation module is used for determining the target expanded type Berkeley packet filter program from the candidate expanded type Berkeley packet filter programs according to the target monitoring file.
On the basis of the above embodiment, optionally, before the object program generating module, the apparatus further includes:
and the monitoring demand adding module is used for generating a target expanded type Berkeley packet filter program corresponding to the target monitoring demand according to the target monitoring demand if the historical monitoring demand does not contain the target monitoring demand, and storing the target expanded type Berkeley packet filter program into the historical monitoring demand.
The file monitoring device provided by the embodiment of the invention can execute the file monitoring method provided by any embodiment of the invention, and has the corresponding functional modules and beneficial effects of the execution method.
Example IV
Fig. 4 shows a schematic diagram of the structure of an electronic device 10 that may be used to implement an embodiment of the invention. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. Electronic equipment may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices (e.g., helmets, glasses, watches, etc.), and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the inventions described and/or claimed herein.
As shown in fig. 4, the electronic device 10 includes at least one processor 11, and a memory, such as a Read Only Memory (ROM) 12, a Random Access Memory (RAM) 13, etc., communicatively connected to the at least one processor 11, in which the memory stores a computer program executable by the at least one processor, and the processor 11 may perform various appropriate actions and processes according to the computer program stored in the Read Only Memory (ROM) 12 or the computer program loaded from the storage unit 18 into the Random Access Memory (RAM) 13. In the RAM 13, various programs and data required for the operation of the electronic device 10 may also be stored. The processor 11, the ROM 12 and the RAM 13 are connected to each other via a bus 14. An input/output (I/O) interface 15 is also connected to bus 14.
Various components in the electronic device 10 are connected to the I/O interface 15, including: an input unit 16 such as a keyboard, a mouse, etc.; an output unit 17 such as various types of displays, speakers, and the like; a storage unit 18 such as a magnetic disk, an optical disk, or the like; and a communication unit 19 such as a network card, modem, wireless communication transceiver, etc. The communication unit 19 allows the electronic device 10 to exchange information/data with other devices via a computer network, such as the internet, and/or various telecommunication networks.
The processor 11 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of processor 11 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various processors running machine learning model algorithms, digital Signal Processors (DSPs), and any suitable processor, controller, microcontroller, etc. The processor 11 performs the various methods and processes described above, such as the file monitoring method.
In some embodiments, the file monitoring method may be implemented as a computer program tangibly embodied on a computer-readable storage medium, such as storage unit 18. In some embodiments, part or all of the computer program may be loaded and/or installed onto the electronic device 10 via the ROM 12 and/or the communication unit 19. When the computer program is loaded into RAM 13 and executed by processor 11, one or more steps of the file monitoring method described above may be performed. Alternatively, in other embodiments, the processor 11 may be configured to perform the file monitoring method in any other suitable way (e.g., by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), load programmable logic devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
A computer program for carrying out methods of the present invention may be written in any combination of one or more programming languages. These computer programs may be provided to a processor of a general purpose computer, special purpose computer, or other programmable data processing apparatus, such that the computer programs, when executed by the processor, cause the functions/acts specified in the flowchart and/or block diagram block or blocks to be implemented. The computer program may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of the present invention, a computer-readable storage medium may be a tangible medium that can contain, or store a computer program for use by or in connection with an instruction execution system, apparatus, or device. The computer readable storage medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. Alternatively, the computer readable storage medium may be a machine readable signal medium. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on an electronic device having: a display device (e.g., a CRT (cathode ray tube) or LCD (liquid crystal display) monitor) for displaying information to a user; and a keyboard and a pointing device (e.g., a mouse or a trackball) through which a user can provide input to the electronic device. Other kinds of devices may also be used to provide for interaction with a user; for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback); and input from the user may be received in any form, including acoustic input, speech input, or tactile input.
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), blockchain networks, and the internet.
The computing system may include clients and servers. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server can be a cloud server, also called a cloud computing server or a cloud host, and is a host product in a cloud computing service system, so that the defects of high management difficulty and weak service expansibility in the traditional physical hosts and VPS service are overcome.
It should be appreciated that various forms of the flows shown above may be used to reorder, add, or delete steps. For example, the steps described in the present invention may be performed in parallel, sequentially, or in a different order, so long as the desired results of the technical solution of the present invention are achieved, and the present invention is not limited herein.
The above embodiments do not limit the scope of the present invention. It will be apparent to those skilled in the art that various modifications, combinations, sub-combinations and alternatives are possible, depending on design requirements and other factors. Any modifications, equivalent substitutions and improvements made within the spirit and principles of the present invention should be included in the scope of the present invention.
Claims (10)
1. A method for monitoring a document, comprising:
determining a kernel extended berkeley packet filter program; wherein the kernel extended berkeley packet filter program is generated by loading the target extended berkeley packet filter program into a system kernel;
monitoring operation information in a target monitoring file according to the kernel extension type Berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation;
if the kernel expansion type Berkeley packet filter program monitors the operation information of the target monitoring file, the operation information is stored into a memory space; the kernel is a system kernel of a system running the target monitoring file; the memory space is the memory space of a system running the target monitoring file.
2. The method of claim 1, wherein determining a kernel extended berkeley packet filter program comprises:
compiling the target extension type Berkeley packet filter program to obtain a target byte code instruction;
and converting the target byte code instruction and loading the target byte code instruction into a system kernel to obtain a kernel expansion type Berkeley packet filter program.
3. The method of claim 1, wherein the monitoring the operation information in the target monitoring file according to the kernel-extended berkeley packet filter program comprises:
intercepting each operation file in the system through the kernel expansion type Berkeley packet filter program;
and screening the intercepted operation files according to the operation information of the target monitoring files.
4. The method of claim 1, wherein after the operation information of the target monitoring file is obtained by the kernel-extended berkeley packet filter program monitoring, the method further comprises:
transmitting the operation information in the memory space to a database and deleting the operation information in the memory space;
and if the operation information contains the target identification information, sending target alarm information to the user.
5. The method of claim 1, wherein after said determining a kernel extended berkeley packet filter procedure, the method further comprises:
according to the kernel expansion type Berkeley packet filter program, sending a memory space request to a CPU;
and analyzing the received memory space request by the CPU, and dividing the corresponding memory space according to the memory space request.
6. The method of claim 1, wherein prior to determining the kernel extended berkeley packet filter procedure, the method further comprises:
generating candidate monitoring information and a candidate expanded berkeley packet filter program corresponding to the candidate monitoring information according to historical monitoring requirements;
determining the target monitoring file from the candidate monitoring information according to target monitoring requirements;
and determining the target extended type Berkeley packet filter program from the candidate extended type Berkeley packet filter programs according to the target monitoring file.
7. The method of claim 6, wherein prior to determining the target expanded berkeley packet filter program from the candidate expanded berkeley packet filter programs based on the target monitoring file, the method further comprises:
and if the historical monitoring demand does not contain the target monitoring demand, generating the target expanded Berkeley packet filter program corresponding to the target monitoring demand according to the target monitoring demand, and storing the target expanded Berkeley packet filter program into the historical monitoring demand.
8. A document monitoring device, comprising:
the kernel program determining module is used for determining a kernel expansion type Berkeley packet filter program; wherein the kernel extended berkeley packet filter program is generated by loading the target extended berkeley packet filter program into a system kernel;
the operation information monitoring module is used for monitoring the operation information in the target monitoring file according to the kernel extension type Berkeley packet filter program; the operation information at least comprises file reading operation, file changing operation, file renaming operation and file deleting operation;
the operation information storage module is used for storing the operation information into a memory space if the kernel expansion type Berkeley packet filter program monitors the operation information of the target monitoring file; the kernel is a system kernel of a system running the target monitoring file; the memory space is the memory space of a system running the target monitoring file.
9. An electronic device, the electronic device comprising:
at least one processor; and
a memory communicatively coupled to the at least one processor; wherein,
the memory stores a computer program executable by the at least one processor to enable the at least one processor to perform the file monitoring method of any one of claims 1-7.
10. A computer readable storage medium storing computer instructions for causing a processor to perform the method of file monitoring of any one of claims 1-7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310891260.1A CN117251419A (en) | 2023-07-19 | 2023-07-19 | File monitoring method and device, electronic equipment and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202310891260.1A CN117251419A (en) | 2023-07-19 | 2023-07-19 | File monitoring method and device, electronic equipment and storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117251419A true CN117251419A (en) | 2023-12-19 |
Family
ID=89125409
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202310891260.1A Pending CN117251419A (en) | 2023-07-19 | 2023-07-19 | File monitoring method and device, electronic equipment and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117251419A (en) |
-
2023
- 2023-07-19 CN CN202310891260.1A patent/CN117251419A/en active Pending
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN115686910A (en) | Fault analysis method and device, electronic equipment and medium | |
| CN116796085A (en) | File processing method and device, electronic equipment and storage medium | |
| CN116126719A (en) | Interface testing method and device, electronic equipment and storage medium | |
| CN116545905A (en) | Service health detection method and device, electronic equipment and storage medium | |
| CN116009847A (en) | Code generation method, device, electronic equipment and storage medium | |
| CN113676531B (en) | E-commerce flow peak clipping method and device, electronic equipment and readable storage medium | |
| CN117251419A (en) | File monitoring method and device, electronic equipment and storage medium | |
| CN107632893B (en) | Message queue processing method and device | |
| CN114691781A (en) | Data synchronization method, system, device, equipment and medium | |
| CN110825477A (en) | Method, device and equipment for loading graphical interface and storage medium | |
| CN114595231B (en) | Database table generation method and device, electronic equipment and storage medium | |
| CN117312095A (en) | Java virtual machine heap memory set object monitoring method and device | |
| CN115794555A (en) | Service log processing method, device, equipment and storage medium | |
| CN117614998A (en) | Current limiting method and device for micro-service system, electronic equipment and storage medium | |
| CN117852043A (en) | Determination method and device for abnormal device, electronic device and storage medium | |
| CN118069025A (en) | Snapshot processing method, device and equipment based on storage system and storage medium | |
| CN116954922A (en) | Distributed storage method, device, equipment and medium | |
| CN116579914A (en) | Execution method and device of graphic processor engine, electronic equipment and storage medium | |
| CN118093965A (en) | Information processing method, device, equipment and storage medium | |
| CN113360330A (en) | Concurrent lock testing method, related device and computer program product | |
| CN115983222A (en) | EasyExcel-based file data reading method, device, equipment and medium | |
| CN117873452A (en) | Static variable management method, device, electronic equipment and storage medium | |
| CN115965276A (en) | Index set determination method and device, electronic equipment and storage medium | |
| CN117271853A (en) | Complex data processing method and device, electronic equipment and storage medium | |
| CN117785413A (en) | Task forwarding method, device, equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |