[go: up one dir, main page]

CN107871003A - Method and apparatus for event handling in a multi-platform system - Google Patents

Method and apparatus for event handling in a multi-platform system Download PDF

Info

Publication number
CN107871003A
CN107871003A CN201711104559.9A CN201711104559A CN107871003A CN 107871003 A CN107871003 A CN 107871003A CN 201711104559 A CN201711104559 A CN 201711104559A CN 107871003 A CN107871003 A CN 107871003A
Authority
CN
China
Prior art keywords
platform
event
file
data
load
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201711104559.9A
Other languages
Chinese (zh)
Other versions
CN107871003B (en
Inventor
雅各布·费特尔松
奥哈德·科尔库斯
奥菲尔·克雷策-卡齐尔
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Varonis Systems Inc
Original Assignee
Varonis Systems Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Varonis Systems Inc filed Critical Varonis Systems Inc
Priority to CN201711104559.9A priority Critical patent/CN107871003B/en
Publication of CN107871003A publication Critical patent/CN107871003A/en
Application granted granted Critical
Publication of CN107871003B publication Critical patent/CN107871003B/en
Expired - Fee Related legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • GPHYSICS
    • G06COMPUTING OR CALCULATING; COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F16/00Information retrieval; Database structures therefor; File system structures therefor
    • G06F16/10File systems; File servers
    • G06F16/17Details of further file system functions
    • G06F16/1734Details of monitoring file system events, e.g. by the use of hooks, filter drivers, logs

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Data Mining & Analysis (AREA)
  • Databases & Information Systems (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Information Retrieval, Db Structures And Fs Structures Therefor (AREA)

Abstract

For the method and apparatus for carrying out the method for the event handling in multiple platform system, methods described includes:File accessevents are obtained from multiple platform system;Assistance data is considered to handle event to determine to act and activate the action.

Description

用于多平台系统中的事件处理的方法和装置Method and apparatus for event handling in a multi-platform system

本申请是申请日为2011年9月19日、申请号为2011800735591且发明名称为“用于多平台系统中的事件处理的方法和装置”的发明申请的分案申请。This application is a divisional application of an invention application with a filing date of September 19, 2011, an application number of 2011800735591, and an invention title of "Method and Device for Event Processing in a Multi-Platform System".

技术领域technical field

本公开一般地涉及文件访问事件,并且更特别地,涉及处理多平台系统中的文件访问事件。The present disclosure relates generally to file access events, and more particularly, to handling file access events in a multi-platform system.

背景技术Background technique

分布式多平台计算机化的系统是通用的。例如,用在银行、投资公司、大企业或者诸如是军队的其他对象中。Distributed multi-platform computerized systems are versatile. For example, in banks, investment firms, large corporations, or other objects such as the military.

例如,这样的系统可以包括几十个平台到几千个平台,具有每小时几百万或者大约十亿的速率。For example, such a system may include tens to thousands of platforms, with a rate of a few million or about a billion per hour.

发明内容Contents of the invention

所公开的主题的一个示例性的实施例是用于多平台系统中的事件处理的系统,包括:处理器,其安装在多平台系统的平台中,用于截获多平台系统中的文件访问事件;以及至少一个服务器,其连接到至少一个平台,所述至少一个服务器配置用于获取由处理器截获的事件,并且配置用于在考虑辅助数据的同时通过至少一个规则来处理事件以决定响应于事件的动作,其中,独立于事件的获取而提供所述辅助数据。An exemplary embodiment of the disclosed subject matter is a system for event processing in a multi-platform system, comprising: a processor installed in a platform of the multi-platform system for intercepting a file access event in the multi-platform system and at least one server connected to the at least one platform, the at least one server configured to obtain the event intercepted by the processor and configured to process the event by at least one rule while considering the auxiliary data to decide to respond to An act of an event, wherein the auxiliary data is provided independently of retrieval of the event.

所公开的主题的另一示例性的实施例是用于多平台系统中的事件处理的方法,包括获取多平台系统中的文件访问事件;考虑辅助数据来处理事件以决定或者确定动作;以及可选地激活该动作。Another exemplary embodiment of the disclosed subject matter is a method for event handling in a multi-platform system, comprising obtaining a file access event in a multi-platform system; processing the event considering auxiliary data to decide or determine an action; and Optionally activate the action.

在本公开的上下文中,非限制性地,平台意味着具有诸如是文件夹或者文件的数据资源的计算机,可能与另一计算机共享所述数据资源,其中,不同的平台可以具有不同的装置和/或软件并且可能具有数据对象或者资源的不同组织。例如,平台可以是运行在不同的操作系统下并且使用不同的文件系统的不同的计算机类型。In the context of this disclosure, without limitation, a platform means a computer with data resources, such as folders or files, possibly shared with another computer, where different platforms may have different devices and and/or software and may have different organizations of data objects or resources. For example, platforms may be different computer types running under different operating systems and using different file systems.

一般地,平台连接到一个或者多个其他平台,所述其他平台形成各种连接方式,诸如互连的平台集群,其中所述集群互相链接。Typically, a platform is connected to one or more other platforms that form various connections, such as interconnected clusters of platforms, where the clusters are linked to each other.

在本公开的上下文中,非限制性地并且除非另外指明,服务器意味着多平台系统之外的或者补充多平台系统的计算机。In the context of this disclosure, without limitation and unless otherwise indicated, a server means a computer that is external to or supplements a multi-platform system.

在本公开的上下文中,非限制性地并且除非另外指明,数据库意味着多平台系统的数据资源或者对象之外的或者补充多平台系统的数据资源或者对象的任意数据结构,不排除现有技术的传统数据库或者查找表。In the context of this disclosure, without limitation and unless otherwise specified, a database means any data structure other than or complementary to the data resources or objects of a multi-platform system, without excluding prior art traditional database or lookup table.

为了简要、清楚和非限制性的,在本公开中,操作系统的提及意味着操作用于控制计算机的功能并且特别地控制访问文件系统的任意软件,诸如Windows、Linux、MacOS或者其他软件。For brevity, clarity, and non-limitation, in this disclosure, references to an operating system mean any software, such as Windows, Linux, MacOS, or others, that operates to control the functions of a computer and particularly control access to the file system.

为了简要、清楚和非限制性的,在本公开中,文件系统的提及意味着平台中或者在多个平台之间共享的数据对象或者数据源的任意库或者组织,例如,微软的FAT32的NTFS、苹果的HFS、IBM的LTFS、太阳微系统的ZFS、甲骨文的ACFS、微软SharePoint、或者其他组织(诸如邮件服务器中的邮件,所述邮件服务器例如是微软的Exchange)、或者诸如Joliet(ISO 9660:1988)的任意其他组织。For brevity, clarity, and non-limitation, in this disclosure, references to a file system mean any repository or organization of data objects or data sources in a platform or shared between multiple platforms, for example, Microsoft's FAT32's NTFS, Apple's HFS, IBM's LTFS, Sun Microsystems' ZFS, Oracle's ACFS, Microsoft SharePoint, or other organizations (such as mail in a mail server such as Microsoft's Exchange), or such as Joliet (ISO 9660:1988) any other organization.

在本公开的上下文中,非限制性地,文件的提及意味着文件系统的任意数据对象或者数据源,例如,如现有技术中所使用的,邮件中的附件或者到网页的链接或者普通文件。In the context of this disclosure, without limitation, a reference to a file means any data object or data source of the file system, for example, as used in the prior art, an attachment in an email or a link to a web page or a common document.

在本公开的上下文中,非限制性地,事件指现有计算机和软件技术中使用的,诸如中断、信号或者过程调用,一般地为异步的而不排除同步事件。In the context of this disclosure, without limitation, events refer to those used in existing computer and software technology, such as interrupts, signals or procedure calls, generally asynchronous and not excluding synchronous events.

为了简要、清楚和非限制性的,在本公开中,分布式多平台计算机化的系统指多平台系统。For brevity, clarity, and non-limitation, in this disclosure, a distributed multi-platform computerized system refers to a multi-platform system.

附图说明Description of drawings

在以下附图中说明所公开的主题的某些非限制性的示例性的实施例或者特征。Certain non-limiting exemplary embodiments or features of the disclosed subject matter are illustrated in the following figures.

一般地使用相同的附图标记来标记一个或者多个附图中出现的相同的或者复制的或者等同的或者类似的结构、元素、或者部分,可选地,使用附加的字母或者多个字母以在类似的对象或者对象的变型之间区分,并且不重复地标志和/或描述。The same or duplicate or equivalent or similar structures, elements, or parts appearing in one or more drawings are generally labeled with the same reference numerals, optionally with an additional letter or letters to identify Distinguish between similar objects or variations of an object, and identify and/or describe without duplication.

选择图中示出的组件和特征的尺寸以用于呈现的方便或者清楚,并且不一定示为按比例的或者真实视图。为了方便和清楚,未示出或者仅仅部分地示出某些元素或者结构,和/或以不同的角度或者从不同的视角示出。Dimensions of components and features shown in the figures are chosen for convenience or clarity of presentation, and are not necessarily shown as scale or true views. For convenience and clarity, some elements or structures are not shown or are only partially shown, and/or are shown at different angles or from different perspectives.

对之前给出的元素的参考不一定进一步引用有它们出现在其中的附图或者描述。References to previously given elements do not necessarily further cite the drawings or descriptions in which they appear.

图1示意性地说明了根据所公开的主题的示例性的实施例的用于多平台系统中的事件处理的系统。FIG. 1 schematically illustrates a system for event handling in a multi-platform system, according to an exemplary embodiment of the disclosed subject matter.

图2示意性地说明了根据所公开的主题的示例性的实施例的标准化的事件记录。Figure 2 schematically illustrates a standardized event record according to an exemplary embodiment of the disclosed subject matter.

图3示意性地描述了根据所公开的主题的示例性的实施例的处理来自多平台系统的事件中的操作。FIG. 3 schematically depicts operations in processing events from a multi-platform system, according to an exemplary embodiment of the disclosed subject matter.

具体实施方式Detailed ways

所公开的主题应付的一个技术问题是实时地响应多平台系统中的所截获的文件访问事件。One technical problem addressed by the disclosed subject matter is responding to intercepted file access events in a multi-platform system in real time.

所公开的主题应付的另一技术问题是压缩和减少涉及多平台系统中的所截获的文件访问事件的数据量。Another technical problem addressed by the disclosed subject matter is that of compressing and reducing the amount of data related to intercepted file access events in a multi-platform system.

所公开的主题应付的另一技术问题是在超过事件本身的扩展的或者扩大的上下文中,或者根据超过事件本身的扩展的或者扩大的上下文,来处理多平台系统中的所截获的文件访问事件。Another technical problem addressed by the disclosed subject matter is handling intercepted file access events in a multi-platform system in or according to an extended or augmented context beyond the event itself .

根据所公开的主题的一个技术方案是将截获文件访问事件的处理链接或者耦合到每一个平台或者其中的一部分。通过服务器来监控一个平台或者一组平台中的事件的信息或者涉及所述事件的信息,所述服务器还称作“探针”,其连接到一个平台或者所述组中的每一个平台。One solution in accordance with the disclosed subject matter is to link or couple the processing of intercepting file access events to each platform or a portion thereof. Information about events in or relating to a platform or a group of platforms is monitored by a server, also called a "probe", connected to a platform or each platform in the group.

事件的信息通过探针来处理,由此减轻了平台处理事件信息的负荷,由此使能实时处理和响应多平台系统中的事件。The information of the event is processed through the probe, thereby reducing the load of the platform to process the event information, thereby enabling real-time processing and response to the event in the multi-platform system.

根据实时处理所截获的事件的负荷或者预期的负荷,将额外的探针连接到平台,减少每个探针上的负担并且平衡处理负荷,由此提供了可扩展的方案以用于实时响应多平台系统中的事件的负荷平衡。Depending on the load or expected load of real-time processing of intercepted events, additional probes are connected to the platform, reducing the load on each probe and balancing the processing load, thereby providing a scalable solution for real-time response to multiple Load balancing of events in the platform system.

根据所公开的主题的另一技术方案是在探针中或者在装置中操作的处理,所述探针连同诸如是表或者数据库的数据结构,丢弃相关代码中的所截获的事件的冗余数据和/或缩略相关代码中的所截获的事件的冗余数据。Another technical solution according to the disclosed subject matter is a process operating in a probe or in a device that, together with a data structure such as a table or database, discards redundant data of an intercepted event in the relevant code and/or abbreviate redundant data for intercepted events in related code.

通过示例的方式,如果用户在时间间隔内几次打开诸如是文件或者文件夹的特定对象,不是记录每一个单独的访问,而是仅仅记录事件间隔,可能与此间隔内访问的次数一起记录。By way of example, if a user opens a particular object such as a file or folder several times within a time interval, instead of logging each individual access, only the event interval is logged, possibly along with the number of accesses within that interval.

通过另一示例的方式,给访问的对象分配唯一码,由此避免重复记录对象的全路径串。By way of another example, a unique code is assigned to the accessed object, thereby avoiding repeated recording of the full path string of the object.

通过另一示例的方式,不记录用户名,而是使用针对此用户名的缩略的唯一码,由此避免重复记录此用户的全名。By way of another example, the user name is not recorded, but an abbreviated unique code for the user name is used, thereby avoiding repeated recording of the user's full name.

根据所公开的主题的另一技术方案是存储在连接到探针的服务器中的和/或在探针中的一个或者多个数据结构,所述数据结构诸如是数据库,所述一个或者多个数据结构保存有关于事件的辅助或者外来或者不相交的信息。Another technical solution according to the disclosed subject matter is one or more data structures stored in a server connected to the probe and/or in the probe, such as a database, the one or more The data structure holds auxiliary or extrinsic or disjoint information about the event.

通过考虑辅助信息,可以在多平台系统或者超过多平台系统的更广的上下文中处理和/或分析事件。By taking into account the auxiliary information, events can be processed and/or analyzed in a broader context on or beyond the multi-platform system.

通过示例的方式,可以在数据结构中将诸如是文件夹的对象记录为针对组织的敏感数据。当访问此对象时,在存储此对象的平台中生成事件并且通过探针来监控或者捕获事件。By way of example, an object such as a folder may be recorded in a data structure as sensitive data for an organization. When this object is accessed, an event is generated in the platform where this object is stored and is monitored or captured by a probe.

事件的数据包括对象路径、或者其代码,关于数据结构中的数据来检查所述事件的数据,并且在将对象识别为敏感的这一情况下,可以执行进一步的动作。The event's data, including the object path, or its code, is checked against the data in the data structure, and in this case the object is identified as sensitive, further action can be performed.

根据多平台系统中的事件或者其他操作,可以预定义或者可以确定或者修改数据结构中的数据。因而,在多平台系统的操作过程中,可以递增地更新辅助或者外来信息。例如,如果特定用户在一定的时间内重复访问特定文件,受此影响,在数据结构中更新信息。连续地,如由探针捕获的,在此用户访问此文件的进一步的事件之上,将查阅数据结构中的信息,并且可能防止此用户进一步访问此文件。Data in the data structure may be predefined or may be determined or modified according to events or other operations in the multi-platform system. Thus, auxiliary or extrinsic information may be updated incrementally during operation of the multi-platform system. For example, if a particular user repeatedly accesses a particular file within a certain period of time, update the information in the data structure affected by this. Continuing, upon further events of this user's access to this file, as caught by the probe, the information in the data structure will be consulted, and this user may be prevented from further accessing this file.

所公开的主题的潜在的技术效果是一种能够在超出事件中包括的数据的扩展的上下文内实时处理文件访问事件的多平台系统。A potential technical effect of the disclosed subject matter is a multi-platform system capable of real-time processing of file access events within an extended context beyond the data included in the event.

如这里所使用的,术语“实时”一般地意味着在另一事件发生之前完成的响应于事件的足够快的操作。As used herein, the term "real-time" generally means an operation that is completed quickly enough in response to an event before another event occurs.

以下给出实践本公开的一般的非限制性的概述。概述描述了本公开的实施例的示例性的实践,为变型和/或替代和/或发散实施例提供了构造基础,随后描述所述实施例中的某些。A general, non-limiting overview of practicing the present disclosure is given below. The overview describes exemplary practice of embodiments of the disclosure, providing a constructional basis for modified and/or alternative and/or divergent embodiments, some of which are then described.

文件系统的文件上的操作一般地为操作系统和/或文件系统的很好地定义的过程,所述操作诸如为创建或者删除文件、或者读取或者写入文件、以及在某些情况下为修改文件的属性,所述文件的属性诸如为只读。可以跟踪文件上的这样的操作,例如通过操作系统的服务、或者通过使用API(应用程序接口)、或者通过“挂”到文件操作过程上或者由操作系统和/或文件系统提供的任意其他方法上。这里将获取关于文件操作的发生和性质的信息统称为“文件操作捕获”,或者为了简要,统称为“捕获”,或者其变型。Operations on files of a file system are generally well-defined procedures of the operating system and/or file system, such as creating or deleting files, or reading or writing files, and in some cases Modify the attributes of the file, such as read-only. Such operations on a file may be tracked, for example, by services of the operating system, or by using an API (Application Programming Interface), or by "hooking" onto the file operating process or any other method provided by the operating system and/or file system superior. Acquiring information about the occurrence and nature of file operations is collectively referred to herein as "file operation capture," or, for brevity, "capture," or variations thereof.

可以通过捕获文件操作来生成事件。在某些情况下,操作系统和/或文件系统生成事件。在众多情况下和/或在本公开的某些实施例中,事件包括数据或者伴随有数据或者提供数据给事件,所述数据称作事件数据。为了清楚和简要,当提及事件时同样意味着事件数据。Events can be generated by capturing file operations. In some cases, the operating system and/or file system generate events. In many cases and/or in certain embodiments of the present disclosure, an event includes data or is accompanied by or provides data to the event, the data being referred to as event data. For clarity and brevity, when referring to events also means event data.

事件数据包括项、或者指示或者其关联,诸如具有全路径的一部分(称作文件路径)的所访问的文件、访问文件的用户、根据执行的操作(诸如打开或者删除)的事件类型、操作的时间(称作时间戳)、事件发起的位置或者平台、或者与事件相关联的任意其他数据(诸如,在复制或者移动的情况下的事件的目的地)、或者其任意组合。Event data includes items, or indications or associations thereof, such as the file accessed with part of the full path (called the file path), the user accessing the file, the event type according to the operation performed (such as open or delete), the The time (referred to as a timestamp), the location or platform where the event originates, or any other data associated with the event (such as the event's destination in case of copying or moving), or any combination thereof.

在某些实施例中,平台包括或者链接到或者耦合到处理器,所述处理器捕获文件操作并且生成事件,或者,可替代地,处理器截获操作系统和/或文件系统生成的事件。这里还将处理器称作“驱动器”。In some embodiments, the platform includes or is linked to or coupled to a processor that captures file operations and generates events, or, alternatively, a processor that intercepts operating system and/or file system generated events. Processors are also referred to herein as "drivers."

由服务器从一个或者多个驱动获取事件,所述服务器操作为与事件相关的多平台系统的代理,这里还将服务器或者代理称为“探针”。在某些实施例中,探针查询事件的驱动,或者,可替代地,驱动发送事件到探针,可选地或者可替代地,使用通过探针的事件的查询和接收的组合。Events are acquired from one or more drivers by a server operating as an agent of the multi-platform system related to the event, also referred to herein as a "probe". In some embodiments, the probe queries the driver for events, or, alternatively, the driver sends events to the probe, optionally or alternatively, using a combination of querying and receiving of events by the probe.

在某些实施例中,探针可以连接到一个平台或者到多个平台。在某些实施例中,使用多个探针,每一个探针连接到不同的多个平台上,可选地,具有连接冗余。In some embodiments, a probe can be connected to one platform or to multiple platforms. In certain embodiments, multiple probes are used, each connected to a different multiple platform, optionally with connection redundancy.

在某些实施例中,探针根据存储机制将事件数据存储在数据库中,诸如响应于事件、或者周期性地(诸如每小时一次或者每天一次)。在某些实施例中,所有的探针连接到同样的数据库,可选地或者可替代地,使用多个数据库,可选地,数据库是所有的探针均可访问的。In some embodiments, the probe stores event data in the database according to a storage mechanism, such as in response to an event, or periodically (such as once an hour or once a day). In some embodiments, all probes are connected to the same database, optionally or alternatively, multiple databases are used, optionally the databases are accessible to all probes.

在某些实施例中,数据库包括关于文件的信息、或者关于多平台系统的其他信息、或者与事件相关的任意其他辅助或者不相交的信息。可选地,将在多平台系统的操作期间收集的和/或通过探针收集的信息提供给数据库。例如,文件权限、文件级别(诸如群组的敏感性)、或者访问特定文件的用户的身份以及以何种速率或者在何种时间间隔内、或者将用户移出多平台系统或者将用户引入到多平台系统。In some embodiments, the database includes information about files, or other information about the multi-platform system, or any other ancillary or disjoint information related to the event. Optionally, information collected during operation of the multi-platform system and/or by probes is provided to the database. For example, file permissions, file levels (such as group sensitivity), or the identity of users accessing a particular file and at what rate or at what time interval, or users are removed from the multi-platform system or introduced into the multi-platform system. platform system.

在获取事件之上,探针检查事件数据,可能还关于数据库中的数据,并且根据一个或者多个规则执行一个或者多个操作,在一定程度上类似于现有技术的邮件客户端的邮箱规则。On top of getting the event, the probe examines the event data, possibly also about data in the database, and performs one or more actions according to one or more rules, somewhat similar to mailbox rules of prior art mail clients.

例如,一个规则可以读起来类似于:如果将删除文件标记为敏感的,则生成告警;结果,除非由授权用户确认,暂停操作。For example, a rule could read something like: If a deleted file is marked as sensitive, generate an alert; as a result, suspend the operation unless confirmed by an authorized user.

可注意到,由探针使用驱动器并且进一步处理事件,至少可潜在地使能多平台系统的操作中的最小化的或者可忽略的介入。It may be noted that use of drivers by probes and further processing of events may at least potentially enable minimal or negligible intervention in the operation of the multi-platform system.

图1示意性地说明了根据所公开的主题的示例性的实施例的多平台系统190中的事件处理系统100,其中,事件处理系统100的组件之间的箭头一般地指示组件之间的数据流。FIG. 1 schematically illustrates an event processing system 100 in a multi-platform system 190 according to an exemplary embodiment of the disclosed subject matter, wherein arrows between components of the event processing system 100 generally indicate data between components. flow.

多平台系统190包含多个平台110的实例,如由虚线192和194所指示的,代表任意数量的平台110。Multi-platform system 190 includes multiple instances of platform 110 , as indicated by dashed lines 192 and 194 , representing any number of platforms 110 .

平台110包括操作系统114和文件系统116,或者为此效果,能够保存有、管理和访问数据对象的任意结构或者机制。Platform 110 includes an operating system 114 and a file system 116, or for that effect, any structure or mechanism capable of storing, managing, and accessing data objects.

事件处理系统100包括服务器作为连接到一个或者多个平台(诸如平台110)的探针120,如由虚线192所指示的,代表连接到探针120的任意数量的平台110。如由虚线194所指示的,探针120的所说明的两个实例代表连接到任意数量的平台(诸如平台110)的任意数量的探针(诸如探针120)。Event processing system 100 includes a server as a probe 120 connected to one or more platforms, such as platform 110 , as indicated by dashed line 192 , representing any number of platforms 110 connected to probe 120 . As indicated by dashed line 194 , the two illustrated instances of probe 120 represent any number of probes (such as probe 120 ) connected to any number of platforms (such as platform 110 ).

探针120包括或者耦合到或者链接到一个或者多个规则,统称为规则122。规则122使用事件或者事件数据或者其一部分,作为用于规则122的逻辑或者过程的参数或者自变量,根据其来决定或者确定动作。Probe 120 includes or is coupled to or linked to one or more rules, collectively referred to as rules 122 . Rules 122 use events or event data, or portions thereof, as parameters or arguments for the logic or procedures of rules 122 from which to decide or determine actions.

平台110包括表示为驱动器112的处理器,所述驱动器112生成和/或截获平台110中的文件访问事件,一般地并且非限制性地称作“截获”。将事件提供给探针120和/或由探针120来获取事件。Platform 110 includes a processor, represented as a driver 112, that generates and/or intercepts file access events in platform 110, referred to generically and without limitation as "interception." Events are provided to and/or acquired by probe 120 .

注意到驱动器112不一定要安装在每一个平台110中或者耦合到每一个平台110,而是,将驱动器112安装在任意平台110中或者耦合到任意平台110,所述任意平台110具有可访问文件或者正在为所述任意平台110处理文件访问事件。Note that driver 112 does not necessarily have to be installed in or coupled to every platform 110, but rather, driver 112 is installed in or coupled to any platform 110 that has accessible file Or a file access event is being processed for said arbitrary platform 110 .

在某些实施例中,响应于获取事件,使用所获取的事件作为用于规则122的过程逻辑的参数,探针120运行规则122。在由规则122决定动作的情况下,针对事件处理系统100的其他组件或者多平台系统190,探针120执行动作或者调用或者启动或者授权所决定的动作。In some embodiments, in response to obtaining an event, the probe 120 runs the rule 122 using the obtained event as a parameter for the process logic of the rule 122 . Where an action is determined by the rules 122 , for other components of the event handling system 100 or the multi-platform system 190 , the probe 120 executes the action or invokes or initiates or authorizes the determined action.

在某些实施例中,使用探针120来加工和处理事件减少了多平台系统190上的处理负荷和/或最小化或减少了介入多平台系统190的操作,其中,驱动器112非侵入性地捕获多平台系统190中的文件访问事件。In some embodiments, using probe 120 to process and process events reduces the processing load on multi-platform system 190 and/or minimizes or reduces intervening operations of multi-platform system 190 where driver 112 non-intrusively File access events in the multi-platform system 190 are captured.

在某些实施例中,探针120经由诸如为代理服务器的另一组件或者多个组件来从平台110获取事件,所述代理服务器减少了事件处理系统100中的通信负荷和/或通过预处理减少了处理负荷,所述预处理诸如为在到达探针120之前过滤事件。In some embodiments, the probe 120 obtains events from the platform 110 via another component or components, such as a proxy server that reduces the communication load in the event processing system 100 and/or through pre-processing The processing load, such as filtering events before reaching the probe 120, is reduced.

在某些实施例中,探针120将事件存储在数据库130中,使能进一步引用和/或分析事件。可选地,探针120经由代理和/或经由中间存储器来存储事件,所述代理诸如为服务器,所述中间存储器诸如为高速缓存。In some embodiments, the probe 120 stores the events in the database 130, enabling further referencing and/or analysis of the events. Optionally, the probe 120 stores events via a proxy, such as a server, and/or via an intermediate storage, such as a cache.

在某些实施例中,将数据库130实现在服务器或者任意其他装置上,其中数据库130代表任意类型的存储库或者组织,可能分拆或者分布在多个服务器或者装置中。因而,在某些实施例中,将事件存储在不同于或者独立于存储辅助数据(将在以下进一步解释)之处的结构或者装置中。仍然,为了简要和清楚,将存储装置或者结构称作数据库130。In some embodiments, database 130 is implemented on a server or any other device, where database 130 represents any type of repository or organization, possibly split or distributed across multiple servers or devices. Thus, in some embodiments, events are stored in a different or separate structure or device than where the auxiliary data (explained further below) is stored. Still, for brevity and clarity, the storage device or structure is referred to as database 130 .

在某些实施例中,使用压缩形式和/或如下所述的结构来存储事件。In some embodiments, events are stored using a compressed form and/or structures as described below.

注意到规则122不一定要存储在探针120中,并且可替代地或者额外地,可以将规则122存储在另一装置中,所述另一装置诸如为链接到探针120的服务器。Note that the rules 122 are not necessarily stored in the probe 120 and that the rules 122 may alternatively or additionally be stored in another device, such as a server linked to the probe 120 .

注意到驱动器112不一定要存储在平台110中,并且可替代地或者额外地,驱动器112可以存储在另一装置中,诸如链接到平台110的服务器。Note that driver 112 does not have to be stored in platform 110 , and alternatively or additionally, driver 112 may be stored in another device, such as a server linked to platform 110 .

注意到探针120不一定要是与平台110相分离的装置,并且可替代地或者额外地,探针120使用诸如额外的处理器及其存储器而包括在平台110中。Note that the probe 120 does not have to be a separate device from the platform 110, and that the probe 120 may alternatively or additionally be included in the platform 110 using, for example, an additional processor and its memory.

在某些实施例中,除事件数据外,规则122使用额外的信息来决定动作。额外的信息还称作辅助数据,其结合事件数据使用或者用作参考,由此,影响或者使能影响逻辑的程序过程或者规则122的过程和/或所决定的动作。在某些实施例中,将辅助数据存储在数据库130中和/或由数据库130代表的任意其他装置或者结构中。In some embodiments, rules 122 use additional information in addition to event data to determine actions. The additional information, also referred to as auxiliary data, is used in conjunction with the event data or as a reference, thereby influencing or enabling the program procedure affecting logic or the procedure of the rules 122 and/or the determined action. In some embodiments, the auxiliary data is stored in database 130 and/or in any other device or structure represented by database 130 .

在某些实施例中,响应于获取事件,探针120针对涉及事件的辅助数据查询数据库130,并且在辅助数据出现在数据库130中的情况下,探针120取回辅助数据并且将辅助数据与规则122合并。可选地或者可替代地,探针(可选地,重复地或者周期性地)根据一机制(诸如根据重复事件的频率)从数据库130中取回辅助数据并且存储数据。在某些实施例中,探针120高速缓存数据,可选择地保存涉及频繁的事件的辅助数据。In some embodiments, in response to obtaining an event, probe 120 queries database 130 for assistance data related to the event, and where assistance data is present in database 130, probe 120 retrieves the assistance data and compares the assistance data with Rule 122 merged. Optionally or alternatively, the probe (optionally, repeatedly or periodically) retrieves the auxiliary data from the database 130 and stores the data according to a mechanism, such as according to the frequency of recurring events. In some embodiments, the probe 120 caches data, optionally saving auxiliary data related to frequent events.

在某些实施例中,辅助数据包括关于平台的文件系统中的文件或者多个平台的文件系统中的文件的信息。In some embodiments, the auxiliary data includes information about files in the platform's file system or files in the file systems of multiple platforms.

例如,辅助数据可以包括访问文件系统或者其一部分的权限、涉及文件系统或者其一部分的组中的成员资格、文件或者文件组的级别、分类为诸如敏感的或者公共的、为任意目的或者历史或者推荐而对文件标记、文件或者其组的指定的所有者、或者诸如为沙盒结果(即“假使怎样”的结果)的任意其他数据、或者其组合。For example, auxiliary data may include permissions to access the file system or a portion thereof, membership in a group involving the file system or a portion thereof, the level of the file or group of files, classifications such as sensitive or public, for any purpose or historical or Recommendations instead mark a file, a designated owner of a file or group thereof, or any other data such as a sandbox result (ie a "what if" result), or a combination thereof.

在某些实施例中,在多平台系统190和/或事件处理系统100的操作之前预设辅助数据中的某些或者一部分。In some embodiments, some or a portion of the auxiliary data is preset prior to operation of the multi-platform system 190 and/or the event processing system 100 .

在某些实施例中,如由辅助数据140和虚线箭头142示意性地说明的,辅助数据或者其一部分由多平台系统190的操作提供。例如,审计或者收集关于文件的用户的活动的历史以生成权限,或者由用户输入。In some embodiments, auxiliary data, or a portion thereof, is provided by operation of multi-platform system 190 , as schematically illustrated by auxiliary data 140 and dashed arrow 142 . For example, auditing or collecting a history of a user's activity on a file to generate permissions, or input by the user.

在某些实施例中,通过事件处理系统100的操作来提供辅助数据或者其一部分,诸如从探针120提供的事件的记录和/或规则122的结果。In some embodiments, auxiliary data, or a portion thereof, is provided through operation of event processing system 100 , such as records of events provided from probes 120 and/or results of rules 122 .

相应地,在某些实施例中,在多平台系统190和/或事件处理系统100的操作期间,使用辅助数据来递增地提供或者更新数据库130。Accordingly, in some embodiments, during operation of multi-platform system 190 and/or event processing system 100 , database 130 is incrementally provided or updated with auxiliary data.

在某些实施例中,涉及事件的辅助数据包括涉及文件或者文件组或者与文件或者文件组相关联的至少一部分数据,诸如文件名,或者属于文件或者涉及文件或者与文件相关联的目的地的位置。In some embodiments, ancillary data related to an event includes at least a portion of data related to or associated with a file or group of files, such as a file name, or a destination belonging to or related to or associated with a file. Location.

要强调的是在某些实施例中,与辅助数据相分离地,通过探针120来将事件存储在数据库130中。It is emphasized that in some embodiments, events are stored in database 130 by probe 120 separately from the auxiliary data.

在某些实施例中,探针120经由诸如为服务器的代理来连接到数据库130并且与数据库130通信;可选地,代理高速缓存来自探针120的某些事件数据和/或来自数据库130的辅助数据。In some embodiments, probe 120 connects to and communicates with database 130 via an agent, such as a server; optionally, the agent caches certain event data from probe 120 and/or supplementary data.

注意到,由于多平台系统190从处理事件中减负,使用探针120至少潜在地促进对事件的快速响应或者实时响应。Note that use of probes 120 at least potentially facilitates fast or real-time responses to events as multi-platform system 190 is offloaded from processing events.

必须响应事件和分析和/或处理事件(诸如通过规则122)在原理上或者理论上应该涉及重复地和看似冗余的参考项、和/或项的存储,诸如用户名、文件路径、或者位置标识(诸如IP或者UNC路径)。Having to respond to events and analyzing and/or processing events (such as via rule 122) should in principle or theory involve repeated and seemingly redundant references to items, and/or storage of items, such as usernames, file paths, or A location identifier (such as an IP or UNC path).

这样的冗余操作能够不利地影响响应时间和/或可能需要额外的处理器,诸如探针120,从而实时响应和处理事件。Such redundant operations can adversely affect response time and/or may require additional processors, such as probe 120, to respond to and process events in real time.

因此并且由于其他原因而可能地,在某些实施例中,以简短的形式或者代码来表达或者编码多平台系统190和/或可选地事件处理系统100的项。在某些实施例中,仅仅对重复地引用和/或确定为重复引用的项进行编码。这里,对项编码还称作“标准化”或者其变型。Therefore, and possibly for other reasons, in some embodiments, items of the multi-platform system 190 and/or optionally the event processing system 100 are expressed or encoded in a short form or code. In some embodiments, only items that are repeatedly referenced and/or determined to be repeatedly referenced are encoded. Encoding of items is also referred to herein as "normalization" or a variant thereof.

将代码存储在诸如为查找表的结构或者多个结构中,可选地使用用于充分快速的取回的机制或者由此机制来辅助,所述机制诸如是二进制树或者哈希表。The code is stored in a structure or structures such as a look-up table, optionally using or aided by a mechanism for sufficiently fast retrieval, such as a binary tree or a hash table.

因而,在某些实施例中,不去获取和/或存储、或者记录具有全用户名或者所访问的文件的全文件路径或者目的地或者位置UNC(通用命名约定)和/或类似数据的事件数据,而是仅仅记录相应的代码,由此,节省了诸如对存储器的多个访问中的操作时间以及还有存储负荷,并且总体上节省了存储空间。Thus, in some embodiments, events with the full username or full file path or destination or location UNC (Universal Naming Convention) and/or similar data of the accessed file are not captured and/or stored, or logged Instead of data, only the corresponding code is recorded, thereby saving operating time such as multiple accesses to the memory and also the storage load, and saving storage space overall.

图2示意性地说明了根据所公开的主题的示例性的实施例的标准化的事件记录。Figure 2 schematically illustrates a standardized event record according to an exemplary embodiment of the disclosed subject matter.

查找表210包括串,所述串如206所指示的,分别用于文件路径、位置和用户名,并且与如为二进制数的代码204相关联,为了清楚,将代码204示为十进制数。代码用于使用代码替代相应的串来标准化事件记录202。The lookup table 210 includes strings, indicated at 206, for file paths, locations, and usernames, respectively, associated with codes 204 as binary numbers, shown as decimal numbers for clarity. Codes are used to standardize event records 202 using codes in place of corresponding strings.

进一步和/或可选地或者可替代地,在某些实施例中,通过压缩结构中的反映重复的或者类似的信息的信息来进一步减少类似的或者冗余的信息,方法还称作聚合(aggregation)。Further and/or optionally or alternatively, in some embodiments, similar or redundant information is further reduced by compressing information reflecting repeated or similar information in the structure, the method is also called aggregation ( aggregation).

例如,在时间T1和时间T2之间内,文件F由用户U访问N次,仅在时间间隔T1-T2中的第N次访问时记录文件F。此外,文件F和用户U可选地由其中的相应的代码来记录,而不是全路径和名称串。For example, between time T1 and time T2, file F is accessed N times by user U, and file F is recorded only at the Nth access in time interval T1-T2. Furthermore, file F and user U are optionally recorded by corresponding codes therein rather than full path and name strings.

作为另一示例,用户U访问的数据库DB中的记录R1、R2和R3不记录三次,而是,以可选的时间间隔记录为DB和R1、R2、R3和用户U,并且可选地,将DB和用户U记录为其中相应的代码。As another example, the records R1, R2 and R3 in the database DB accessed by the user U are not recorded three times, but are recorded as DB and R1, R2, R3 and the user U at optional time intervals, and optionally, Record DB and User U as the corresponding codes therein.

在某些实施例中,在数据库130中存储标准化的数据和结构。可选地或者可替代地,标准化的数据和结构或者其一部分存储在辅助装置或者存储器中,诸如探针120中的代理高速缓存以用于快速的引用。In some embodiments, standardized data and structures are stored in database 130 . Optionally or alternatively, standardized data and structures, or portions thereof, are stored in a secondary device or memory, such as a proxy cache in probe 120 for quick reference.

在某些实施例中,单独于辅助数据和/或与辅助数据或者其一部分相结合,以聚合形式将事件存储在数据库130中。In some embodiments, events are stored in database 130 in aggregated form separately from and/or in combination with auxiliary data or portions thereof.

使用标准化和/或聚合至少潜在地减少处理,诸如应用规则122和/或数据库130中的存储和/或通信以用于从驱动器112获取事件,由此至少潜在地促进了实时响应和处理事件。Using normalization and/or aggregation at least potentially reduces processing, such as applying rules 122 and/or storage and/or communication in database 130 for retrieving events from drivers 112, thereby at least potentially facilitating real-time response and processing of events.

在某些实施例中,还将辅助数据标准化为代码或者以聚合来形成辅助数据,至少潜在地,进一步减少了事件的响应和/或处理,使能减少探针120的数目。In some embodiments, the assistance data is also standardized into a code or aggregated to form the assistance data, at least potentially, further reducing the response and/or processing of events, enabling a reduction in the number of probes 120 .

在某些实施例中,规则122以“如果-则-否则(if then else)”结构来操作,可选地或者额外地,规则122根据其他结构来操作,诸如多分支或者诸如推理机。In some embodiments, rules 122 operate in an "if then else" structure, alternatively or additionally, rules 122 operate in accordance with other structures, such as multi-branch or such as inference engines.

在某些实施例中,并行或者多任务或者多线程地运行存储在探针120中的规则122,可选地至少部分并行地处理多个事件的处理。In some embodiments, the rules 122 stored in the probe 120 are run in parallel or multi-tasked or multi-threaded, optionally processing multiple events at least partially in parallel.

在某些实施例中,根据一个或者多个优先准则来安排规则122和/或规则122根据所述准则来操作。例如,优先于来自背景数据库的事件,处理来自用户输入的事件。In some embodiments, rules 122 are arranged according to one or more priority criteria and/or rules 122 operate according to said criteria. For example, events from user input are processed over events from a background database.

在某些实施例中,将相应于事件的规则122的决定和/或所产生的动作分为三类,即过滤、告警和工作流,其中可选地实时响应于事件地调用或者启动动作,或者由此设计动作。In some embodiments, the decisions and/or resulting actions of rules 122 corresponding to events are grouped into three categories, namely filtering, alerting, and workflow, where actions are optionally invoked or initiated in response to events in real-time, Or design actions accordingly.

在过滤动作中丢弃或者忽略事件,借此节省了处理时间和存储空间。例如,涉及临时或者不重要的文件的事件、或者涉及备份操作的事件。Events are discarded or ignored in filtering actions, thereby saving processing time and storage space. For example, events involving temporary or unimportant files, or events involving backup operations.

在告警动作中,将信息和/或信号发送到合适的用户和/或目的地,诸如通过邮件或者通过事件日志中的存储。例如,当某人尝试访问敏感文件时,或者当作为特定组的成员或者不同组的成员的用户尝试访问文件时,通知管理用户。In an alert action, the information and/or signal is sent to an appropriate user and/or destination, such as by mail or by storage in an event log. For example, notify an administrative user when someone tries to access a sensitive file, or when a user who is a member of a specific group or a different group tries to access a file.

在工作流动作中,调用或者启动操作或者多个操作。操作可以是用户定义的、或者其他方定义的、和/或基于计算机化的或者软件引擎,所述引擎能够诸如通过API或者其他系统调用来扩展或者改变。例如,阻止用户删除在预先确定的或者预设时间间隔内的多个文件的权限。In a workflow action, invoke or initiate an operation or operations. Operations may be user-defined, or otherwise defined, and/or based on a computerized or software engine that can be extended or changed, such as through APIs or other system calls. For example, the right to prevent users from deleting multiple files within a predetermined or preset time interval.

图3示意性地概述了根据所公开的主题的示例性实施例的处理来自多平台系统平台的事件中的操作。Figure 3 schematically outlines operations in processing events from a multi-platform system platform according to an exemplary embodiment of the disclosed subject matter.

在302处,诸如在探针120中获取或者接收来自分布式多平台计算机化的系统(诸如多平台系统)的事件,通过驱动器112的方式来从多平台系统截获和/或生成事件。At 302 , events from a distributed multi-platform computerized system, such as a multi-platform system, are intercepted and/or generated by way of driver 112 , such as in probe 120 , obtained or received from the multi-platform system.

在某些实施例中,事件还意味着其中的数据,以压缩的形式获取所述事件,诸如通过代码的标准化的形式。In some embodiments, an event also means the data therein, captured in a compressed form, such as a normalized form by code.

在304处,取回与事件不相交的辅助数据或者额外的数据,诸如从数据库130中或者从任意源中(可选地,从高速缓存中)。At 304, event-disjoint auxiliary or additional data is retrieved, such as from database 130 or from any source (optionally, from a cache).

在306处,处理事件,诸如通过规则122,鉴于或者通过考虑辅助数据,可选地确定一个或者多个动作。At 306, the event is processed, such as by the rules 122, optionally determining one or more actions in view of or by taking into account the auxiliary data.

在308处,启动或者执行所确定的动作,可选地通过装置(诸如探针120)或者通过可选地包括在多平台系统190中的另一装置。At 308 , the determined action is initiated or performed, optionally by a device such as probe 120 or by another device optionally included in multi-platform system 190 .

在310处,可选地以通过使用代码和/或聚合的压缩形式,将事件可选地存储在诸如数据库130中。At 310, the event is optionally stored, such as in database 130, optionally in a compressed form using code and/or aggregation.

在某些实施例中,在处理或者动作的激活之前和/或之后执行存储,可选地基于周期机制或者响应于多个事件中的事件来执行。In some embodiments, storing is performed before and/or after activation of a process or action, optionally on a periodic basis or in response to an event of a plurality.

以上概述的操作和/或者操作的顺序可以改变。例如,辅助数据可以与处理代码一起已经存储和高速缓存,诸如规则122,使得不执行辅助数据的进一步的取回。The operations outlined above and/or the order of operations may be changed. For example, the assistance data may have been stored and cached together with the processing code, such as rule 122, such that no further retrieval of the assistance data is performed.

以下描述关于公司的分布式多平台计算机化的系统(诸如多平台系统190)的两个非限制性示例,如由事件处理装置处理的,诸如事件处理系统100。Two non-limiting examples are described below with respect to a company's distributed multi-platform computerized system, such as multi-platform system 190 , as processed by an event processing facility, such as event processing system 100 .

在一个场景中,公司接收公司的一个雇员将要离开公司的信息。肯定雇员已经访问关于公司的敏感信息,多平台系统的管理员设置规则,诸如规则122,使得不论何时雇员拷贝标记为敏感的数据,将发送告警,允许发现雇员和/或防止雇员拷贝数据。In one scenario, a company receives information that an employee of the company is leaving the company. Determined that an employee has accessed sensitive information about the company, the administrator of the multi-platform system sets rules, such as rule 122, such that whenever an employee copies data marked as sensitive, an alert will be sent, allowing the employee to be found and/or preventing the employee from copying the data.

在另一场景中,为了最小化损害,雇员能够致使共享公司的数据,多平台系统的管理员设置规则,诸如规则122,其中,如果用户在具有权限为“每个人”的文件夹上、在一分钟内删除了多于三个文件,将移除该用户的权限,确保用户之后将需要请求访问权限。In another scenario, in order to minimize damage, an employee can cause the company's data to be shared, the administrator of the multi-platform system sets up a rule, such as rule 122, where if a user is on a folder with permissions of "everyone", in Deleting more than three files within a minute will remove the user's permissions, ensuring that the user will need to request access in the future.

注意到本公开的技术不限制于文件访问事件,而是,在某些实施例中,可以应用到其他事件或者处理中,诸如处理或者装置之间的输入-输出事件或者通信。Note that the techniques of this disclosure are not limited to file access events, but, in some embodiments, can be applied to other events or processes, such as input-output events or communications between processes or devices.

因而按照所公开的主题,提供了用于多平台系统中的事件处理的系统,包括:处理器,安装在多平台系统的平台中,以用于截获多平台系统中的文件访问事件;以及至少一个服务器,连接到至少一个平台,所述至少一个服务器配置用于获取由处理器截获的事件,并且配置用于在考虑辅助数据的同时通过至少一个规则来处理事件以用于决定响应于事件的动作。在某些实施例中,独立于事件的获取而提供辅助数据。Thus in accordance with the disclosed subject matter, there is provided a system for event handling in a multi-platform system, comprising: a processor installed in a platform of the multi-platform system for intercepting a file access event in the multi-platform system; and at least a server, connected to at least one platform, said at least one server configured to acquire events intercepted by the processor, and configured to process the events by at least one rule while taking into account auxiliary data for deciding on a response to the event action. In some embodiments, the auxiliary data is provided independently of the retrieval of the event.

在某些实施例中,辅助数据包括下列至少其中之一:涉及多平台系统的预设数据、响应于多平台系统的操作的累积的数据、或者响应于多平台系统的操作的更新的数据、或者其任意组合。In some embodiments, the auxiliary data includes at least one of: preset data related to the multi-platform system, accumulated data responsive to the operation of the multi-platform system, or updated data responsive to the operation of the multi-platform system, or any combination thereof.

在某些实施例中,将辅助数据存储在连接到所述至少一个服务器的数据库中。In some embodiments, the auxiliary data is stored in a database connected to said at least one server.

在某些实施例中,将数据库存储在与所述至少一个服务器相分离并且与多平台系统相分离的至少一个装置上。In some embodiments, the database is stored on at least one device separate from the at least one server and separate from the multi-platform system.

在某些实施例中,所述至少一个服务器配置成下列至少其中之一:获取压缩形式的事件、处理压缩形式的事件、存储压缩形式的事件、或者其任意组合,由此促进了对事件的实时响应。In some embodiments, the at least one server is configured to at least one of: retrieve events in compressed form, process events in compressed form, store events in compressed form, or any combination thereof, thereby facilitating access to events Real-time response.

在某些实施例中,压缩形式包括编码的事件数据或者聚合的事件数据中的至少一个、或者其组合。In some embodiments, the compressed form includes at least one of encoded event data or aggregated event data, or a combination thereof.

在某些实施例中,将所述至少一个规则存储在所述至少一个服务器中,其中,在某些实施例中,所述至少一个服务器配置成启动通过所述至少一个规则来决定的动作。In some embodiments, the at least one rule is stored in the at least one server, wherein, in some embodiments, the at least one server is configured to initiate actions determined by the at least one rule.

在某些实施例中,所述至少一个规则包括多个规则。In some embodiments, the at least one rule includes a plurality of rules.

在某些实施例中,所述至少一个平台包括多个平台。In some embodiments, the at least one platform includes a plurality of platforms.

在某些实施例中,所述至少一个服务器包括多个平台。In some embodiments, the at least one server includes multiple platforms.

在某些实施例中,将处理器安装在具有可访问文件的多平台系统的每一个平台上。In some embodiments, a processor is installed on each platform of a multi-platform system having accessible files.

因而,按照所公开的主题,进一步提供了用于多平台系统中的事件处理的方法,包括:从多平台系统获取文件访问事件;考虑辅助数据来处理事件以决定动作以及激活该动作。Thus, in accordance with the disclosed subject matter, there is further provided a method for event handling in a multi-platform system comprising: obtaining a file access event from the multi-platform system; processing the event considering auxiliary data to determine an action and activating the action.

在某些实施例中,处理事件包括使用至少一个规则,其中,在某些实施例中,所述至少一个规则包括多个规则。In some embodiments, processing the event includes using at least one rule, wherein, in some embodiments, the at least one rule includes a plurality of rules.

在某些实施例中,辅助数据包括下列至少其中之一:涉及多平台系统的预设数据、响应于多平台系统的操作而累积的数据、或者响应于多平台系统的操作的更新的数据、或者其任意组合。In some embodiments, the auxiliary data includes at least one of the following: preset data related to the multi-platform system, data accumulated in response to the operation of the multi-platform system, or updated data in response to the operation of the multi-platform system, or any combination thereof.

在某些实施例中,在至少连接到多平台系统并且与多平台系统相分离的至少一个服务器上执行事件的获取。In some embodiments, the retrieval of events is performed on at least one server connected to and separate from the multi-platform system.

在某些实施例中,所述至少一个服务器配置成下列至少其中之一:获取压缩形式的事件、处理压缩形式的事件、存储压缩形式的事件、或者其任意组合,由此促进了对事件的实时响应。In some embodiments, the at least one server is configured to at least one of: retrieve events in compressed form, process events in compressed form, store events in compressed form, or any combination thereof, thereby facilitating access to events Real-time response.

在某些实施例中,压缩形式包括编码的事件数据或者聚合的事件数据中的至少一个、或者其组合。In some embodiments, the compressed form includes at least one of encoded event data or aggregated event data, or a combination thereof.

在某些实施例中,将辅助数据存储在连接到所述至少一个服务器的数据库中。In some embodiments, the auxiliary data is stored in a database connected to said at least one server.

这里将术语“处理器”或者“计算机”、或者“服务器”或者其系统用作现有技术的普通的上下文,诸如通用处理器或者微处理器、RISC处理器、或者DSP,可能地,包括额外的元件,诸如存储器或者通信端口。可选地或者额外地,术语“处理器”或者“计算机”或者其衍生物代表能够执行所提供的或者所并入的程序的装置,和/或者能够控制和/或访问数据存储装置和/或诸如为输入输出端口的其他装置。术语“处理器”或“计算机”还代表所连接的、和/或链接的和/或另外通信的多个处理器或者计算机,可能地,其共享诸如是存储器的一个或者多个其他资源。The terms "processor" or "computer", or "server" or systems thereof are used herein in the ordinary context of the prior art, such as general-purpose processors or microprocessors, RISC processors, or DSPs, possibly including additional components, such as memory or communication ports. Alternatively or additionally, the terms "processor" or "computer" or derivatives thereof represent a device capable of executing a provided or incorporated program, and/or capable of controlling and/or accessing a data storage device and/or Other devices such as input and output ports. The term "processor" or "computer" also denotes a plurality of processors or computers connected, and/or linked and/or otherwise in communication, possibly sharing one or more other resources such as memory.

根据其中的上下文,可以互换地使用术语“软件”、“程序”、“软件过程”或者“过程”或者“软件代码”或者“代码”,并且其代表一个或者多个指令或者伪指令或者电路,用于执行一系列的操作,所述一系列的操作通常代表算法和/或其他处理或者方法。程序存储在诸如是RAM、ROM、或者磁盘的媒介中或者上,或者嵌入到诸如是处理器的装置可访问并且可运行的电路或者其他电路中。The terms "software," "program," "software process" or "procedure" or "software code" or "code" are used interchangeably depending on the context herein and represent one or more instructions or directives or circuits , for performing a series of operations, and the series of operations generally represents an algorithm and/or other processing or method. The program is stored in or on a medium such as RAM, ROM, or disk, or embedded in a circuit or other circuitry that is accessible and executable by a device such as a processor.

处理器和程序可以组成至少部分地相同的装置,诸如电子门阵列,诸如FPGA或者ASIC,设计成执行编程的一系列的操作,可选地,包括或者链接到处理器或者其他电路。The processor and the program may constitute at least partly the same device, such as an electronic gate array, such as an FPGA or an ASIC, designed to perform a programmed sequence of operations, optionally including or linked to a processor or other circuitry.

术语计算机化的装置或者类似术语代表具有一个或者多个可操作或者根据程序操作的处理器。The term computerized or similar term means having one or more processors operable or in accordance with a program.

术语配置用于目的或者其变型意味着使用软件和/或电子电路,设计成和/或可操作用于或者工作用于达到目的。The term configured for purpose or variations thereof means, using software and/or electronic circuits, designed and/or operable or working to achieve a purpose.

如这里所使用的,非限制性地,模块代表系统的一部分,诸如与相同单元上的其他部分一起操作的部分程序,或者操作在不同单元上的程序组件,并且处理代表操作的集合以用于达到特定输出。As used herein, without limitation, a module represents a part of a system, such as a part of a program that operates with other parts on the same unit, or a program component that operates on a different unit, and a process represents a collection of operations for achieve a specific output.

根据本公开的主题的各种实施例,流程图和方框图说明了系统、方法以及计算机程序产品的可能的实现的架构、功能性或者操作。在这一点上,流程图或者方框图中的每一个块可以代表程序代码的模块、段或者一部分,其包括一个或者多个可执行的指令以用于实现(多个)规定的逻辑功能。还应该注意到,在某些可替代的实现中,为了达到相同的或者等效的效果,所说明的操作可以以不同的顺序发生,或者替代顺序操作地作为并行操作。The flowchart and block diagrams illustrate the architecture, functionality, or operation of possible implementations of systems, methods, and computer program products according to various embodiments of the disclosed subject matter. In this regard, each block in the flowchart or block diagrams may represent a module, segment, or portion of program code, which includes one or more executable instructions for implementing the specified logical function(s). It should also be noted that in some alternative implementations, the operations illustrated may occur in a different order or in parallel instead of sequential operations to achieve the same or equivalent effect.

下面的权利要求书中的所有的装置或者步骤加功能元件的对应的结构、材料、动作、以及等价物意图包括任意结构、材料、或者动作以用于与如明确要求的其他要求保护的元件相结合地执行功能。如这里所使用的,单数形式“一”、“该”还意图包括复数形式,除非上下文明确指出的其他情况。将进一步理解到当在本说明书中使用时,术语“包括”和/或“包括有”规定了记载的特征、整体、步骤、操作、元件和/或组件的存在,但是不排除存在或者添加一个或者多个其他特征、整体、操作、元件、组件、和/或其中的组。The corresponding structures, materials, acts, and equivalents of all means or step plus function elements in the claims below are intended to include any structure, material, or act for use in combination with other claimed elements as expressly claimed perform the function. As used herein, the singular forms "a", "the" and "the" are also intended to include plural forms, unless the context clearly dictates otherwise. It will be further understood that when used in this specification, the terms "comprising" and/or "comprising" specify the presence of the stated features, integers, steps, operations, elements and/or components, but do not exclude the presence or addition of an or multiple other features, integers, operations, elements, components, and/or groups thereof.

这里使用的术语仅仅是用于描述特定实施例的目的,并且不意图限制所公开的主题。虽然已经说明和描述了所公开的主题的特定的实施例,但是,将清楚的是,本发明不限于这里描述的实施例。不排除大量的修改、改变、变型、替代和等价物。The terminology used herein is for the purpose of describing particular embodiments only and is not intended to be limiting of the disclosed subject matter. While particular embodiments of the disclosed subject matter have been illustrated and described, it will be clear that the invention is not limited to the embodiments described herein. Numerous modifications, changes, variations, substitutions and equivalents are not excluded.

Claims (11)

1. a kind of expansible multiple platform system, including:
1) multiple platforms, wherein, each platform is computer and is connected at least one other flat in the multiple platform system Platform, and each platform includes:
A) operating system;
B) file system, wherein being stored with data object;
C) processor, for intercepting and capturing the file accessevents to the data object in the platform;And
2) several servers, each server are connected at least one platform;And
Wherein, the file accessevents intercepted and captured by the processor are provided to the server and are used to handle event, the clothes Be engaged in device quantity and its with the connection of platform be variable and the determination according to the load on the multiple platform system determines, with Real-time acquisition and processing for balancing the load and event is provided.
2. system according to claim 1, wherein, load of the determination of the load based on reality.
3. system according to claim 1, wherein, the determination of the load is based on expected load.
4. system according to claim 1, wherein, processing event is by considering to be provided separately on described multi-platform Pass through action of at least one rule to determine in response to event while the assistance data of the accumulation activity history of system.
5. system according to claim 4, wherein, at least one rule considers the attribute of accessed file.
6. system according to claim 1, wherein, the processor is configured to:It is less than by the way that the data of event are utilized The corresponding code for being encoded data is encoded, to compress the data of event.
7. system according to claim 1, wherein, the processor is configured to:Polymerization has set of metadata of similar data each other Event, so as to abandon the redundant data of the event.
8. system according to claim 4, wherein, the assistance data is based on following at least one:On file The movable history of user the input of user, accesses file system or part thereof of authority, is related to file system to generate authority Finger of membership qualification in system or part thereof of group, the classification of file or the packet of file, the mark of file, file or its group The fixed owner.
9. a kind of method for extending the event handling in multiple platform system, methods described include:
Multiple platforms are provided, wherein, each platform is computer and is connected at least one other in the multiple platform system Platform, and each platform includes:
A) operating system;
B) file system, wherein being stored with data object;
The installation process device in each platform of the multiple platform system, wherein, the processor is intercepted and captured in the platform The file accessevents of the data object;And
Server is connected to the platform, the server is configured to:According to the load on the multiple platform system really It is fixed to obtain and handle event, to provide real-time acquisition and processing for balancing the load and for event.
10. according to the method for claim 9, wherein, the determination of the load is based on actual load.
11. according to the method for claim 9, wherein, the determination of the load is based on expected load.
CN201711104559.9A 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system Expired - Fee Related CN107871003B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201711104559.9A CN107871003B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
CN201180073559.1A CN103858120B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system
PCT/IL2011/000742 WO2013042102A1 (en) 2011-09-19 2011-09-19 A method and appratus for events handling in a multi-platform system
CN201711104559.9A CN107871003B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system

Related Parent Applications (1)

Application Number Title Priority Date Filing Date
CN201180073559.1A Division CN103858120B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system

Publications (2)

Publication Number Publication Date
CN107871003A true CN107871003A (en) 2018-04-03
CN107871003B CN107871003B (en) 2021-12-14

Family

ID=45688055

Family Applications (2)

Application Number Title Priority Date Filing Date
CN201180073559.1A Expired - Fee Related CN103858120B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system
CN201711104559.9A Expired - Fee Related CN107871003B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system

Family Applications Before (1)

Application Number Title Priority Date Filing Date
CN201180073559.1A Expired - Fee Related CN103858120B (en) 2011-09-19 2011-09-19 Method and apparatus for event handling in a multi-platform system

Country Status (3)

Country Link
EP (1) EP2758898A1 (en)
CN (2) CN103858120B (en)
WO (1) WO2013042102A1 (en)

Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1367439A (en) * 2002-02-10 2002-09-04 苏州市蜗牛电子有限公司 Several customer terminals interdynamic load equalizing method and its system
US20020138501A1 (en) * 2000-12-30 2002-09-26 Dake Steven C. Method and apparatus to improve file management
WO2003012578A2 (en) * 2001-08-01 2003-02-13 Actona Technologies Ltd. Virtual file-sharing network
US20030135505A1 (en) * 2002-01-15 2003-07-17 International Business Machines Corporation Edge deployed database proxy driver
US20030204566A1 (en) * 2002-04-26 2003-10-30 Dhupelia Shekhar V. Multi-user application program interface
US20040133577A1 (en) * 2001-01-11 2004-07-08 Z-Force Communications, Inc. Rule based aggregation of files and transactions in a switched file system
US20080060080A1 (en) * 2005-12-29 2008-03-06 Blue Jungle Enforcing Access Control Policies on Servers in an Information Management System
CN101515308A (en) * 2009-03-31 2009-08-26 上海同济同捷科技股份有限公司 Data management system for vehicle products and collaborative design method thereof

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102073706B (en) * 2010-12-30 2013-02-13 北京锐安科技有限公司 Combined application method of distributed file storage system and relation database

Patent Citations (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020138501A1 (en) * 2000-12-30 2002-09-26 Dake Steven C. Method and apparatus to improve file management
US20040133577A1 (en) * 2001-01-11 2004-07-08 Z-Force Communications, Inc. Rule based aggregation of files and transactions in a switched file system
WO2003012578A2 (en) * 2001-08-01 2003-02-13 Actona Technologies Ltd. Virtual file-sharing network
US20030135505A1 (en) * 2002-01-15 2003-07-17 International Business Machines Corporation Edge deployed database proxy driver
CN1367439A (en) * 2002-02-10 2002-09-04 苏州市蜗牛电子有限公司 Several customer terminals interdynamic load equalizing method and its system
US20030204566A1 (en) * 2002-04-26 2003-10-30 Dhupelia Shekhar V. Multi-user application program interface
US20080060080A1 (en) * 2005-12-29 2008-03-06 Blue Jungle Enforcing Access Control Policies on Servers in an Information Management System
CN101515308A (en) * 2009-03-31 2009-08-26 上海同济同捷科技股份有限公司 Data management system for vehicle products and collaborative design method thereof

Also Published As

Publication number Publication date
WO2013042102A1 (en) 2013-03-28
CN103858120A (en) 2014-06-11
EP2758898A1 (en) 2014-07-30
CN103858120B (en) 2017-12-15
CN107871003B (en) 2021-12-14

Similar Documents

Publication Publication Date Title
US11561931B2 (en) Information source agent systems and methods for distributed data storage and management using content signatures
US12182264B2 (en) Malicious activity detection, validation, and remediation in virtualized file servers
US8495037B1 (en) Efficient isolation of backup versions of data objects affected by malicious software
US9678973B2 (en) Multi-node hybrid deduplication
US8156092B2 (en) Document de-duplication and modification detection
US8239348B1 (en) Method and apparatus for automatically archiving data items from backup storage
US20100306176A1 (en) Deduplication of files
US20120158760A1 (en) Methods and computer program products for performing computer forensics
US20090265780A1 (en) Access event collection
US10417265B2 (en) High performance parallel indexing for forensics and electronic discovery
US20050246386A1 (en) Hierarchical storage management
CN109783457B (en) CGI interface management method, device, computer equipment and storage medium
US10346361B2 (en) Method and apparatus for scalable events handling in a multi-platform system
CN107004036B (en) Method and system for searching logs containing a large number of entries
CN103858120B (en) Method and apparatus for event handling in a multi-platform system
US10089308B1 (en) Method for using redundant data elimination to accelerate storage system scanning
JP7052370B2 (en) Evaluation program, evaluation method and information processing equipment
US9465804B1 (en) Techniques for managing shortcut storage
KR20230159186A (en) Digital forensic analysis system and method capable of reconstructing user activity based on artifact and packet data

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant
CF01 Termination of patent right due to non-payment of annual fee
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20211214