Abnormality detection method and device, electronic equipment and storage medium
By generating core events using supplementary second process information from the server when no process information can be found on the agent side, the problem of low efficiency of manual path input is solved, and highly reliable anomaly detection is achieved.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- TENCENT TECHNOLOGY (SHENZHEN) CO LTD
- Filing Date
- 2024-12-25
- Publication Date
- 2026-06-26
AI Technical Summary
In existing technologies, manually entering process file paths for querying is inefficient and prone to errors, making it impossible to accurately analyze the causes of anomalies in core dump files and reducing the reliability of anomaly detection.
If the first process information cannot be found on the target proxy, the second process information uploaded by other proxies is obtained through the server, a core event is generated and sent to the server for analysis to determine the cause of the anomaly.
This improves the reliability of anomaly detection, ensuring accurate analysis of the cause of anomalies in the target core dump file even in the absence of first-process information, thus avoiding analysis failures due to missing information.
Smart Images

Figure CN122285331A_ABST
Abstract
Description
Technical Field
[0001] This disclosure relates to the field of computer technology, and in particular to an anomaly detection method, apparatus, electronic device, and storage medium. Background Technology
[0002] When a process encounters an exception during execution, a corresponding core dump file is generated. Analysis of this core dump file requires the process file. Currently, the process file path is typically entered manually, and then the process file is queried using that path. However, manual input is inefficient, resulting in low query efficiency and the possibility of input errors. This can lead to the inability to retrieve the process file, making it impossible to analyze the cause of the exception in the target core dump file, thus reducing the reliability of anomaly detection. Summary of the Invention
[0003] The following is an overview of the subject matter described in detail in this disclosure. This overview is not intended to limit the scope of the claims.
[0004] This disclosure provides an anomaly detection method, apparatus, electronic device, and storage medium, which can improve the reliability of anomaly detection.
[0005] On one hand, embodiments of this disclosure provide an anomaly detection method, including:
[0006] When a target core dump file is detected to be stored, the first process information of the target process is queried in the target agent based on the target core dump file. The target agent can be any one of multiple agents, and all of the multiple agents communicate with the server.
[0007] When the first process information is not found, the second process information of the target process is queried from the server based on the target core dump file. The second process information is collected and uploaded to the server by other agents. The other agents are agents other than the target agent among the plurality of agents.
[0008] Based on the second process information, query the process file of the target process in the target agent, and generate core events based on the target core dump file and the process file;
[0009] The core event is sent to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the abnormality of the target process.
[0010] On the other hand, this disclosure also provides an anomaly detection method, including:
[0011] When the target proxy detects that the target core dump file has been stored, and the first process information of the target process is not found in the target proxy based on the target core dump file, the second process information of the target process is queried based on the target core dump file, and the second process information is sent to the target proxy. The target proxy can be any one of multiple proxy clients, and all of the multiple proxy clients communicate with the server. The second process information is collected and uploaded to the server by other proxy clients, and the other proxy clients are proxy clients other than the target proxy client among the multiple proxy clients.
[0012] Receive core events sent by the target agent, wherein the core events are generated by the target agent based on the target core dump file and the process file of the target process, and the process file is obtained by the target agent by querying the target agent based on the second process information of the target process.
[0013] In response to the core event, the target core dump file is analyzed based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the anomaly of the target process.
[0014] On the other hand, embodiments of this disclosure also provide an anomaly detection device, including:
[0015] The first query module is used to query the first process information of the target process in the target agent based on the target core dump file when the target core dump file is detected to be stored. The target agent is any one of multiple agents, and all of the multiple agents communicate with the server.
[0016] The second query module is used to query the server for the second process information of the target process based on the target core dump file when the first process information is not found. The second process information is collected and uploaded to the server by other agents, and the other agents are agents other than the target agent among the plurality of agents.
[0017] The generation module is used to query the process file of the target process in the target agent based on the second process information, and generate core events based on the target core dump file and the process file;
[0018] The sending module is used to send the core event to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the abnormality of the target process.
[0019] Furthermore, the target core dump file includes the target process name of the target process, and the server stores information on multiple candidate processes, including the candidate process names of the candidate processes. The second query module is specifically used for:
[0020] Generate a query request based on the target process name;
[0021] The query request is sent to the server so that the server can match the target process name with each of the candidate process names and query the second process information of the target process from each of the candidate process information based on the matching results.
[0022] Receive the second process information sent by the server.
[0023] Furthermore, the aforementioned anomaly detection device also includes a first processing module, which is specifically used for:
[0024] When the first process information is retrieved, the process file is queried in the target agent based on the first process information, and the core event is generated based on the target core dump file and the process file. The first process information is collected by the target agent and uploaded to the server so that the server can store the first process information as the candidate process information.
[0025] The core event is sent to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data.
[0026] Furthermore, the aforementioned generation module is specifically used for:
[0027] The target core dump file and the process file are sent to the server so that the server can generate a first access link for accessing the target core dump file and the process file.
[0028] When the first access link returned by the server is received, a core event is generated based on the first access link.
[0029] Furthermore, the target core dump file includes the target process name of the target process, and the aforementioned generation module is specifically used for:
[0030] Obtain the name of the reference process, wherein the reference process is a process unrelated to the target business;
[0031] The target process name is matched with the reference process name. When the target process name is different from the reference process name, a core event is generated based on the first access link.
[0032] Furthermore, the aforementioned anomaly detection device also includes a recording module, which is specifically used for:
[0033] Based on the second process information, the target agent queries the process log of the target process and sends the process log to the server so that the server can generate a second access link for downloading the process log.
[0034] The environment information of the target process is obtained and sent to the server so that the server can associate and record the first access link, the second access link, the second process information and the environment information.
[0035] Furthermore, the aforementioned anomaly detection device also includes an alarm module, which is specifically used for:
[0036] If the first access link returned by the server is not received, the target core dump file and the process file are sent to the server again.
[0037] If the first access link is still not received from the server, an alarm message is generated.
[0038] Furthermore, the target core dump file includes the target process name of the target process, and the aforementioned generation module is specifically used for:
[0039] Based on the first time point when the target core dump file is stored, query historical core dump files among all stored core dump files, wherein the second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to a preset interval threshold.
[0040] When the historical core dump file is retrieved, the target process name is matched with the historical process names included in the historical core dump file;
[0041] When the target process name is different from the historical process name, a core event is generated based on the target core dump file and the process file.
[0042] On the other hand, embodiments of this disclosure also provide an anomaly detection device, including:
[0043] The third query module is used to query the second process information of the target process based on the target core dump file when the target agent detects that the target core dump file has been stored, and the first process information of the target process is not found in the target agent based on the target core dump file, and send the second process information to the target agent. The target agent can be any one of multiple agents, and all of the multiple agents communicate with the server. The second process information is collected and uploaded to the server by other agents, and the other agents are agents other than the target agent among the multiple agents.
[0044] The receiving module is used to receive core events sent by the target agent, wherein the core events are generated by the target agent based on the target core dump file and the process file of the target process, and the process file is obtained by the target agent by querying the target agent based on the second process information of the target process.
[0045] An analysis module is used to respond to the core event by analyzing the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the anomaly of the target process.
[0046] Furthermore, the aforementioned analysis module is specifically used for:
[0047] The process file and the target core dump file are input into at least one of the first and second debugging tools. The target core dump file is analyzed by at least one of the first and second debugging tools to obtain the target stack data of the target process.
[0048] The first debugging tool is used to analyze files written in a first programming language, and the second debugging tool is used to analyze files written in either the first or a second programming language, wherein the second programming language is different from the first programming language, and the second debugging tool has better analysis performance for files written in the second programming language than for files written in the first programming language.
[0049] Furthermore, the aforementioned analysis module is specifically used for:
[0050] The process file and the target core dump file are input into the first debugging tool, and the target core dump file is analyzed by the first debugging tool to obtain the first debugging result;
[0051] When the first debugging result indicates that the target core dump file has been successfully debugged, the target stack data of the target process is determined based on the first debugging result.
[0052] When the first debugging result indicates that the debugging of the target core dump file has failed, the process file and the target core dump file are input into the second debugging tool. The second debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0053] Furthermore, the aforementioned analysis module is specifically used for:
[0054] The process file and the target core dump file are input into the second debugging tool, and the target core dump file is analyzed by the second debugging tool to obtain the second debugging result;
[0055] When the second debugging result does not contain any keywords related to the first programming language, the target stack data of the target process is determined based on the second debugging result;
[0056] When the second debugging result contains keywords related to the first programming language, the process file and the target core dump file are input into the first debugging tool. The first debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0057] Furthermore, the aforementioned anomaly detection device also includes a second processing module, which is specifically used for:
[0058] The target stack data is hashed to obtain the target verification value;
[0059] The target verification value is matched with a reference verification value, wherein the reference verification value is obtained by hashing the stack data corresponding to the other agent ends;
[0060] When the target check value is different from the reference check value, the target stack data is recorded in the anomaly detection table; or, when the target check value is the same as the reference check value, the target stack data is removed.
[0061] On the other hand, this disclosure also provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor executes the computer program to implement the above-described anomaly detection method.
[0062] On the other hand, embodiments of this disclosure also provide a computer-readable storage medium storing a computer program that is executed by a processor to implement the above-described anomaly detection method.
[0063] On the other hand, this disclosure also provides a computer program product comprising a computer program stored in a computer-readable storage medium. A processor of a computer device reads the computer program from the computer-readable storage medium and executes the computer program, causing the computer device to perform the above-described anomaly detection method.
[0064] The embodiments disclosed herein include at least the following beneficial effects: When an anomaly is detected (i.e., when a target core dump file is stored), the first process information of the target process is first queried in the target agent. If the first process information is not found, the second process information about the target process, collected and uploaded by other agents, is queried from the server based on the target core dump file. The process file of the target process is then queried in the target agent using the second process information, enabling rapid retrieval of the process file. The core events generated based on the target core dump file and the process file are then sent to the server, allowing the server to analyze the target core dump file based on the process file, thereby obtaining target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, the second process information is supplemented by the server, ensuring that the process file query process is not affected. This avoids the inability to retrieve the process file due to the lack of first process information, thus ensuring that the analysis process of the target core dump file is not affected, effectively analyzing the cause of the anomaly corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0065] Other features and advantages of this disclosure will be set forth in the following description and will be apparent in part from the description or may be learned by practicing this disclosure. Attached Figure Description
[0066] The accompanying drawings are provided to further understand the technical solutions of this disclosure and constitute a part of the specification. They are used together with the embodiments of this disclosure to explain the technical solutions of this disclosure and do not constitute a limitation on the technical solutions of this disclosure.
[0067] Figure 1 A schematic diagram of an optional implementation environment provided for an embodiment of this disclosure;
[0068] Figure 2 A schematic flowchart of an optional anomaly detection method provided in an embodiment of this disclosure;
[0069] Figure 3 A schematic diagram of an optional anomaly detection process provided in an embodiment of this disclosure;
[0070] Figure 4 A schematic flowchart of an optional anomaly detection method provided in an embodiment of this disclosure;
[0071] Figure 5 A schematic diagram of an optional process for analyzing the core dump file of the target data provided in this embodiment of the disclosure;
[0072] Figure 6 Another optional flowchart illustrating the analysis target core dump file provided in this embodiment of the disclosure;
[0073] Figure 7 A schematic diagram of an optional architecture of the anomaly detection system provided in this embodiment of the disclosure;
[0074] Figure 8 A timing diagram of an optional anomaly detection method provided in an embodiment of this disclosure;
[0075] Figure 9 A schematic diagram of an optional process for a target agent provided in an embodiment of this disclosure;
[0076] Figure 10 A schematic diagram of an optional server-side process provided in an embodiment of this disclosure;
[0077] Figure 11 This is a schematic diagram of an optional structure of the anomaly detection device provided in an embodiment of the present disclosure;
[0078] Figure 12 This is another optional structural schematic diagram of the anomaly detection device provided in the embodiments of this disclosure;
[0079] Figure 13 This is a partial structural block diagram of a terminal provided in an embodiment of the present disclosure;
[0080] Figure 14 This is a partial structural block diagram of a server provided in an embodiment of this disclosure. Detailed Implementation
[0081] To make the objectives, technical solutions, and advantages of this disclosure clearer, the following detailed description is provided in conjunction with the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and are not intended to limit the scope of this disclosure.
[0082] It should be noted that in the various specific embodiments of this disclosure, when processing is required based on data related to the characteristics of the target object, such as target object attribute information or a set of attribute information, the permission or consent of the target object will be obtained first. Furthermore, the collection, use, and processing of this data will comply with relevant laws, regulations, and standards. The target object can be a user. In addition, when embodiments of this disclosure require obtaining target object attribute information, separate permission or consent from the target object will be obtained through pop-ups or redirection to a confirmation page. Only after obtaining the target object's separate permission or consent will the necessary target object-related data for the normal operation of the embodiments of this disclosure be obtained.
[0083] In this disclosure, the terms "module" or "unit" refer to a computer program or part of a computer program that has a predetermined function and works with other related parts to achieve a predetermined goal, and can be implemented wholly or partially using software, hardware (such as processing circuitry or memory), or a combination thereof. Similarly, a processor (or multiple processors or memory) can be used to implement one or more modules or units. Furthermore, each module or unit can be part of an overall module or unit that includes the functionality of that module or unit.
[0084] Currently, the process file path is usually entered manually, and then the process file is queried through that path. However, manual input is inefficient, resulting in low query efficiency for process files. Moreover, there is the possibility of input errors, which may lead to the inability to query process files, make it impossible to analyze the cause of the anomaly corresponding to the target core dump file, and reduce the reliability of anomaly detection.
[0085] Based on this, the present disclosure provides an anomaly detection method, apparatus, electronic device, and storage medium, which can improve the reliability of anomaly detection.
[0086] Reference Figure 1 , Figure 1 This is a schematic diagram of an optional implementation environment provided by an embodiment of the present disclosure. The implementation environment includes a target agent 101 and a server 102, wherein the target agent 101 and the server 102 are connected through a communication network.
[0087] For example, when the target agent 101 detects that the target core dump file has been stored, the target agent 101 queries the first process information of the target process based on the target core dump file. The target agent 101 can be any one of multiple agents, all of which communicate with the server 102. If the first process information is not found, the target agent 101 queries the server 102 for the second process information of the target process based on the target core dump file. The second process information is collected and uploaded to the server by other agents, which are agents other than the target agent 101 among the multiple agents. Based on the second process information, the target agent 101 queries the process file of the target process and generates a core event based on the target core dump file and the process file. The target agent 101 sends the core event to the server 102, so that the server 102 can analyze the target core dump file based on the process file to obtain the target stack data of the target process. The target stack data is used to determine the cause of the target process's anomaly.
[0088] When the target agent 101 detects that the target core dump file has been stored, i.e., when an anomaly occurs, it first queries the first process information of the target process in the target agent 101. If the first process information is not found, it then queries the server 102 for the second process information about the target process collected and uploaded by other agents, based on the target core dump file. The second process information is then used to query the process file of the target process in the target agent 101, enabling a quick retrieval of the process file. The core events generated based on the target core dump file and the process file are then sent to the server 102. The server 102 then analyzes the target core dump file based on the process file to obtain target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent 101 has not yet recorded the first process information, relying on the server 102 to supplement the second process information ensures that the process file query process is not affected. This avoids the inability to retrieve the process file due to a lack of first process information, thus ensuring that the analysis process of the target core dump file is unaffected and effectively analyzing the anomaly cause corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0089] Server 102 can be a standalone physical server, a server cluster or distributed system composed of multiple physical servers, or a cloud server providing basic cloud computing services such as cloud services, cloud databases, cloud computing, cloud functions, cloud storage, network services, cloud communication, middleware services, domain name services, security services, CDN (Content Delivery Network), and big data and artificial intelligence platforms. Additionally, server 102 can also be a node server in a blockchain network.
[0090] The target agent 101 can be a mobile phone, computer, smart voice interaction device, smart home appliance, vehicle terminal, etc., but is not limited to these. The target agent 101 and the server 102 can be directly or indirectly connected through wired or wireless communication, and this embodiment of the disclosure does not impose any limitations.
[0091] Reference Figure 2 , Figure 2 This is an optional flowchart of an anomaly detection method provided in an embodiment of the present disclosure. The anomaly detection method can be executed by the target proxy or by the server and the target proxy together. The anomaly detection method includes, but is not limited to, the following steps 201 to 204.
[0092] Step 201: When the target core dump file is detected to be stored, query the first process information of the target process in the target agent based on the target core dump file.
[0093] The target agent can be any one of multiple agents. All agents communicate with the server, and any one agent can run the target process. For example, agents1, agent2, and agent3 all communicate with the server. The target agent can be any one of agents1, agent2, and agent3.
[0094] A core dump is the process by which the operating system records the memory state of a program when it terminates or crashes abnormally during runtime. This memory state is saved in a core dump file, which can be considered a "memory snapshot." However, in addition to memory information, some crucial program runtime states are also dumped simultaneously, such as register information (including the program pointer, stack pointer, etc.), memory management information, other processor states and information, and operating system states and information. Core dumps are extremely helpful for programmers in diagnosing and debugging programs because some program errors are difficult to reproduce, such as pointer exceptions, while core dump files can recreate the situation at the time of the error.
[0095] Understandably, the target agent can be configured to store the core dump file to a specified target storage path, and then continuously detect whether a new core dump file is stored in the target storage path. The new core dump file stored in the target storage path is used as the target core dump file. Therefore, detecting that a new core dump file is stored in the target storage path is equivalent to detecting that the target core dump file is stored. The target process is the process associated with the target core dump file. When the target core dump file is detected to be stored, the first process information of the target process is queried in the target agent based on the target core dump file, which is equivalent to first querying the process information associated with the target core dump file locally.
[0096] Step 202: If the first process information is not found, query the server for the second process information of the target process based on the target core dump file.
[0097] The second process information is collected and uploaded to the server by other agents. These other agents are those other than the target agent. Continuing the previous example, when the target agent is agent1, the other agents are agent2 or agent3. Specifically, the second process information is generated based on the processes running on other agents. These other agents can collect process information periodically or in real time and upload it to the server. Therefore, the second process information is also collected and uploaded to the server by other agents, enabling the target agent to query the server for the second process information of the target process.
[0098] It is understandable that when the target core process file is detected to be stored but the first process information is not found, it means that the target process has an anomaly but the target agent has not yet recorded the corresponding first process information. At this time, the second process information of the target process is queried from the server based on the target core dump file. Relying on the server to supplement the second process information can avoid the loss of process information of the target process.
[0099] In one possible implementation, the server may include a database system for storing structured data. The database system may be deployed on a dedicated database node to provide reliable data management services. Since the data structure of the second process information is usually structured, the second process information uploaded to the server can be written into the database system. The server can interact with the database system through the Data Access Object (DAO) pattern to perform data query operations, and then accurately and quickly query the second process information in the database system based on the target core dump file.
[0100] Step 203: Based on the second process information, query the process file of the target process in the target agent, and generate core events based on the target core dump file and the process file.
[0101] In this scenario, when the target agent has not yet recorded the first process information, the server supplements the second process information. Then, the process file of the target process is queried in the target agent using the second process information, so that the process file query process is not affected and the process file cannot be queried due to the lack of first process information.
[0102] Understandably, the second process information includes executable commands and the file path of the process file. Therefore, after retrieving the second process information, the process file can be queried in the target agent through the file path of the second process information, and then core events can be generated based on the target core dump file and the process file. Specifically, the process file is usually a binary file.
[0103] Step 204: Send a core event to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process.
[0104] Among them, the target stack data is used to determine the cause of the anomaly in the target process. Since the core events are generated based on the target core dump file and the process file, the server can accurately analyze the target core dump file based on the process file when consuming the core events, which effectively improves the accuracy and reliability of anomaly detection.
[0105] Based on this, when an anomaly is detected (i.e., when the target core dump file is stored), the system first queries the first process information of the target process in the target agent. If the first process information is not found, it then queries the server for second process information about the target process collected and uploaded by other agents, based on the target core dump file. The second process information is then used to query the target process's process file in the target agent, allowing for rapid retrieval of the process file. The core events generated based on the target core dump file and the process file are then sent to the server. The server then analyzes the target core dump file based on the process file to obtain target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, relying on the server to supplement the second process information ensures that the process file query process is unaffected. This avoids the inability to retrieve the process file due to a lack of first process information, thus ensuring that the analysis process of the target core dump file is unaffected and effectively identifying the anomaly cause corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0106] In one possible implementation, the server may include a cloud analytics module, which can be deployed on high-performance computing nodes to provide large-scale data processing and analysis services. The cloud analytics module sends core events to the server, specifically to the cloud analytics module on the server, so that the cloud analytics module can analyze the target core dump file based on the process file to obtain the target stack data of the target process, which can effectively improve the analysis efficiency of the target stack data.
[0107] In one possible implementation, the target core dump file includes the target process name of the target process. The server stores information on multiple candidate processes, including the candidate process names of the candidate processes. Based on the target core dump file, the server queries the second process information of the target process. Specifically, this can be done by generating a query request based on the target process name; sending the query request to the server so that the server can match the target process name with each candidate process name; querying the second process information of the target process from each candidate process information based on the matching results; and receiving the second process information sent by the server.
[0108] Among them, candidate process information is collected by other agents and uploaded to the server. Candidate process is a process running on other agents. The candidate process name is the identifier of the candidate process, and the candidate process name can be used to identify the candidate process. The target process name is the identifier of the target process, and the target process name can be used to locate the target process.
[0109] It should be noted that when candidate processes from other agents are running, these agents can obtain the candidate process information and upload it to the server for data storage. This can prevent the loss of candidate process information and also provide different agents with process information for querying process files.
[0110] Based on this, the target proxy generates a query request based on the target process name and sends the query request to the server. After receiving the query request, the server matches the target process name with each candidate process name to determine whether the target process name and the candidate process name are the same. When the target process name and the candidate process name are the same, it means that the target process and the candidate process corresponding to that candidate process name are the same process. When the target process name and the candidate process name are different, it means that the target process and the candidate process corresponding to that candidate process name are different processes. Based on the matching results, the candidate process information corresponding to the candidate process name that is the same as the target process name is accurately determined as the second process information. The server sends the second process information to the target proxy, so that the target proxy can accurately query the process file of the target process through the second process information, so that the process file query process is not affected, thereby ensuring that the analysis process of the target core dump file is not affected, and also avoiding errors in the analysis process of the target core dump file.
[0111] In one possible implementation, the server may include a database system for storing structured data. Information about each candidate process can be written into the server's database system. The server's cloud analytics module can interact with the database system through a DAO model based on query requests, thereby matching the target process name with the candidate process names in the database system, and accurately and quickly retrieving the second process information from the database system.
[0112] In one possible implementation, the anomaly detection method further includes: when the first process information is retrieved, querying the process file in the target agent based on the first process information, generating a core event based on the target core dump file and the process file; sending the core event to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data.
[0113] The first process information is collected by the target agent and uploaded to the server so that the server can store the first process information as candidate process information. Specifically, the target agent can collect the first process information, for example, by collecting it periodically or in real time. Then, the collected first process information is first stored in the target agent's local storage, for example, in memory, and then uploaded to the server so that the first process information can be used as candidate process information for other agents when querying the second process information.
[0114] It is understandable that the first process information includes the target process name, and the target kernel dump file also includes the target process name, so the first process information can be retrieved based on the target process name. The first process information also includes executable commands and the file path of the process file, so after retrieving the first process information, the process file can be retrieved on the target agent using the file path in the first process information.
[0115] Based on this, when the target agent detects that the target core dump file has been stored, i.e., when an anomaly occurs, it first queries the first process information of the target process in the target agent. When the target agent has recorded the first process information, it can effectively retrieve the first process information. Then, based on the first process information, it queries the process file in the target agent and sends the core events generated based on the target core dump file and the process file to the server. This allows the server to analyze the target core dump file based on the process file. Since there is no need to query the server for the second process information of the target process, the efficiency of process information retrieval can be effectively improved, thereby effectively improving the efficiency of target core dump file analysis.
[0116] In one possible implementation, the server may include a database system for storing structured data. The database system may be deployed on database nodes. Since the data structure of the first process information is usually structured, the first process information uploaded to the server can be written to the database system.
[0117] For example, refer to Figure 3 , Figure 3 A schematic diagram of an optional anomaly detection process provided in an embodiment of this disclosure;
[0118] Among them, such as Figure 3 As shown in the process of process collection and process recording, for newly added processes in operation, the agent can extract process information and send the process information as a process event to the Kakfa message queue. The server can consume the process events in the Kakfa message queue, process the process information, and write the process information to the database system, thus achieving accurate recording of process information and achieving a "good" result.
[0119] In one possible implementation, a core event is generated based on the target core dump file and the process file. Specifically, the target core dump file and the process file are sent to the server so that the server can generate a first access link for accessing the target core dump file and the process file. When the first access link is received from the server, a core event is generated based on the first access link.
[0120] The first access link is used to access the target core dump file and process file stored on the server. That is, the first access link can point to the path of the target core dump file and process file on the server, thereby enabling the download, viewing or use of the file. For example, the first access link may include protocol, domain name, path, authentication information, etc.
[0121] Based on this, the target proxy sends the target core dump file and process file to the server, which can prevent the loss of the target core dump file and process file and improve data security. Then, the target proxy can receive the first access link returned by the server. The target proxy generates a core event based on the first access link and sends the core event to the server. The server can pull the target core dump file and process file through the first access link, and then analyze the target core dump file based on the process file to ensure the effective execution of the analysis process.
[0122] In one possible implementation, the server may include a cloud storage module for storing unstructured data. This cloud storage module can be deployed on dedicated storage nodes to provide efficient data storage services. Since the target core dump file and process files are typically unstructured, the target core dump file and process files sent to the server can be written to the cloud storage module, enabling it to store them. The server can also generate a first access link based on the paths of the target core dump file and process files in the cloud storage module and return this link to the target proxy. The target proxy can then send the core events generated based on the first access link to the server's cloud analysis module. This allows the cloud analysis module to download the target core dump file and process files stored in the storage node via the first access link, and analyze the target core dump file based on the process files to obtain the target stack data of the target process.
[0123] For example, refer again Figure 3 ,like Figure 3As shown in the core detection and core analysis process, after obtaining the process file, the agent can upload the target core dump file and the process file to the server's cloud storage module (Cloud Object Storage, COS) and receive the returned first access link. Then, based on the first access link, a core event is generated and sent to the Kakfa message queue. The server can consume the core events in the Kakfa message queue, and then create an analysis task. Through the first access link, the target core dump file and the process file stored in the storage node are downloaded, achieving accurate use of process information and achieving a "good" result. Based on the process file, the target core dump file is analyzed, that is, core analysis is performed to obtain the target stack data of the target process.
[0124] In one possible implementation, the target core dump file includes the target process name of the target process, and a core event is generated based on the first access link. Specifically, this could involve obtaining the reference process name of the reference process, matching the target process name with the reference process name, and generating a core event based on the first access link when the target process name and the reference process name are different.
[0125] Specifically, processes related to the target business refer to processes that provide support for the target business or perform related functions. These processes are closely related to the target business and are the core part of realizing the business. For example, if the target business is order management, then the order management process is a process related to the target business.
[0126] Among them, reference processes are processes unrelated to the target business; they are essentially blacklisted processes. Reference processes can be system processes or other processes unrelated to the target business. The reference process name serves as the identifier for the reference process, allowing it to be identified. The target process name serves as the identifier for the target process, allowing it to be located. Specifically, the reference process names can be recorded and retrieved through the configuration center.
[0127] Based on this, the target process name is matched with the reference process name to determine whether the target process name and the reference process name are the same. When the target process name and the reference process name are different, it means that the target process and the reference process are different processes, that is, the target process is a process related to the target business, indicating that the target process is not a blacklist process. Only when the target process name and the reference process name are different can a core event be generated based on the first access link and sent. This ensures that anomalies occurring in processes related to the target business can be effectively reported, thereby improving the accuracy and reliability of anomaly detection related to the target business.
[0128] In one possible implementation, the anomaly detection method further includes: querying the process log of the target process in the target agent based on the second process information, sending the process log to the server so that the server can generate a second access link for downloading the process log; obtaining the environment information of the target process, sending the environment information to the server so that the server can associate and record the first access link, the second access link, the second process information, and the environment information.
[0129] The process log of the target process is the information recorded during the execution of the target process. The process log may include process identifier, log generation time, process status information, resource usage, process operation records, event information, etc. The process log can help relevant personnel to fully understand the process operation status. The process log can be queried through the log path in the second process information. Similarly, the process log can also be queried through the log path in the first process information. The second access link is used to access the process log stored on the server. That is, the second access link can point to the path of the process log on the server, thereby enabling the download, viewing or use of the process log. For example, the second access link may include protocol, domain name, path, authentication information, etc.
[0130] The environmental information refers to information related to the runtime environment of the target process. For example, the environmental information may be the configuration information of the runtime environment, environment variables, dependent libraries or frameworks, etc. Typically, the target agent can obtain the environmental information of the target process when the process starts running. Subsequently, when the target core dump file is detected to be stored, the environmental information can be sent to the server. Alternatively, the environmental information of the target process can be obtained after the target core dump file is detected to be stored. This embodiment of the present disclosure does not limit this.
[0131] Understandably, the second process information also includes the log path of the process log. Therefore, after retrieving the second process information, the process log can be queried in the target agent through the log path of the second process information.
[0132] Based on this, the target proxy can obtain the process logs of the target process and send them to the server, thus avoiding process log loss and improving data security. Then, the target proxy can receive the second access link returned by the server, obtain the environment information, and send it to the server. This allows the server to associate and record the first access link, the second access link, the second process information, and the environment information. This helps relevant personnel to comprehensively and accurately analyze the anomaly cause corresponding to the target core dump file through the associated records, thereby further improving the reliability of anomaly detection.
[0133] Specifically, after the environment information is sent to the server, a corresponding environment instance identifier can be created for the environment information. The environment information is located through the environment instance identifier. The first access link, the second access link, the second process information, and the environment information are associated and recorded. Specifically, whenever an exception occurs, the server adds a record containing the first access link, the second access link, the second process information, and the environment instance identifier to the exception detection table. Subsequently, the accurate environment information can be located through the environment instance identifier in the exception detection table. Since the amount of data for the first access link, the second access link, and the environment instance identifier is relatively small, each record occupies less storage space, thus effectively saving storage costs and reducing retrieval complexity, thereby improving retrieval efficiency.
[0134] In one possible implementation, the server may include a detection service module. The server's cloud analysis module can associate and upload the first access link, the second access link, the second process information, and the environment information to the detection service module, so that the detection service module can associate and record the first access link, the second access link, the second process information, and the environment information in the anomaly detection table.
[0135] For example, refer again Figure 3 ,like Figure 3 As shown in the core analysis process, after the server obtains the target stack data through core analysis, it can report the target stack data as a core event to the detection service module and update the task status.
[0136] In one possible implementation, after sending the target core dump file and process file to the server, the anomaly detection method further includes: if the first access link returned by the server is not received, sending the target core dump file and process file to the server again; if the first access link returned by the server is still not received, generating an alarm message.
[0137] Based on this, if the first access link returned by the server is not received, it means that the upload operation of the target core dump file and process file has failed. At this time, sending the target core dump file and process file to the server again is equivalent to retrying the upload task. If the upload operation retry is successful, no alarm information needs to be generated. However, if the first access link returned by the server is still not received, it means that the upload operation retry has failed, and an alarm information is generated and output. This can promptly notify relevant personnel of the upload operation failure, enabling them to locate the target core dump file and process file that failed to upload, ensuring that the target core dump file and process file can be processed, thereby ensuring that the analysis process of the target core dump file is not affected, and further improving the reliability of anomaly detection.
[0138] Specifically, alarm information can be notified to relevant personnel through various notification methods, such as email, SMS, voice broadcast, pop-up window, etc. Depending on different scenarios, multiple notification methods can be combined to ensure that alarm information can be notified to relevant personnel in a timely manner. This disclosure embodiment does not limit the notification method for alarm information.
[0139] For example, refer again Figure 3 ,like Figure 3 As shown in the core detection process, the agent generates an alarm message when the upload operation fails to retry during the core detection process, thus achieving the effect of "no omissions".
[0140] In one possible implementation, the target core dump file includes the target process name. Core events are generated based on the target core dump file and the process file. Specifically, based on the first time point when the target core dump file is stored, historical core dump files are queried among all stored core dump files. The second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to a preset interval threshold. When a historical core dump file is found, the target process name is matched with the historical process name included in the historical core dump file. When the target process name is different from the historical process name, a core event is generated based on the target core dump file and the process file.
[0141] Before generating core events, historical core dump files are queried among all stored core dump files based on the first time point when the target core dump file is stored. Since the second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to the interval threshold, the interval threshold can be regarded as the size of the time interval. Thus, the historical core dump file is a core dump file that occurred within a certain time interval before the target core dump file was stored. The target process name is the identifier of the target process, which can be used to locate the target process. The historical process name is the identifier of the historical process, which can be used to represent the historical process. The historical process and the target process can be the same process.
[0142] Based on this, after identifying the historical core dump file, the target process name is matched with the historical process name to determine if they are the same. When the target process name is different from the historical process name, it means that the historical process and the target process are different processes. That is, the target core dump file and the historical core dump file are core dump files generated by different processes experiencing anomalies. This indicates that the target process only experienced an anomaly once within a certain time interval. Only when the target process name is different from the historical process name can a core event be generated based on the target core dump file and the process file, and the core event is sent. This ensures that the single anomaly that occurred in the target process within a certain time interval can be effectively reported, thereby improving the accuracy and reliability of anomaly detection.
[0143] It should be noted that the target process name is matched with the historical process names included in the historical core dump files. When the target process name is the same as the historical process name, it means that the historical process and the target process can be the same process. That is, the target core dump file and the historical core dump file are core dump files generated by the same process when an exception occurs. This indicates that the target process has experienced multiple exceptions within a certain time interval. Assuming that the detected target core dump file and the queried process files are copied to a temporary working directory, if the above situation of the target process name being the same as the historical process name is met, the working directory will be deleted. This is equivalent to removing the target core dump file and process files from the working directory. Subsequently, there is no need to generate core events based on the target core dump file and process files. This is equivalent to ignoring the exception events corresponding to the target core dump file. In addition to deleting the working directory, the target core dump file can also be directly ignored, and the operation of generating core events based on the target core dump file and process files will not be performed. This avoids the repeated reporting of exceptions that occurred in the target process within a certain time interval, which can reduce resource consumption and improve the analysis efficiency of anomaly detection.
[0144] Understandably, by setting appropriate interval thresholds, it is possible to balance the analysis efficiency and accuracy of anomaly detection. This avoids repeated reporting of anomalies occurring in the same process within a short period of time, thereby improving the analysis efficiency of anomaly detection, while ensuring that single anomalies occurring in different processes within a certain time interval can be effectively reported, thereby improving the accuracy of anomaly detection.
[0145] For example, refer again Figure 3 ,like Figure 3As shown in the core detection process, the agent sets filtering rules during the core detection process. Specifically, it needs to match the target process name with the historical process names included in the historical core dump file. Only when the target process name is different from the historical process name will the process file be obtained. Then, based on the target core dump file and the process file, core events are generated, thus achieving process deduplication and achieving the effect of "non-duplication".
[0146] Reference Figure 4 , Figure 4 This is an optional flowchart of an anomaly detection method provided in an embodiment of the present disclosure. The anomaly detection method can be executed by the server or jointly by the proxy and the server. The anomaly detection method includes, but is not limited to, the following steps 401 to 403.
[0147] Step 401: When the target agent detects that the target core dump file has been stored, and the first process information of the target process is not found in the target agent based on the target core dump file, the second process information of the target process is queried based on the target core dump file, and the second process information is sent to the target agent.
[0148] Step 402: Receive the core events sent by the target agent.
[0149] Step 403: In response to a core event, analyze the target core dump file based on the process file to obtain the target stack data of the target process.
[0150] The target proxy is any one of multiple proxies, all of which communicate with the server. The other proxies are those other than the target proxy. The second process information is collected by the other proxies and uploaded to the server. The core event is generated by the target proxy based on the target core dump file and the process file of the target process. The process file is obtained by the target proxy from the second process information of the target process. The target stack data is used to determine the cause of the abnormality of the target process.
[0151] Based on this, when the target agent detects that the target core dump file has been stored, i.e., when an anomaly occurs, it first queries the first process information of the target process in the target agent. If the first process information is not found, it then queries the server for the second process information about the target process collected and uploaded by other agents, based on the target core dump file. The second process information is then used to query the process file of the target process in the target agent, enabling rapid retrieval of the process file. The core events generated based on the target core dump file and the process file are then sent to the server. The server then analyzes the target core dump file based on the process file to obtain target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, relying on the server to supplement the second process information ensures that the process file query process is not affected. This avoids the inability to retrieve the process file due to the lack of first process information, thus ensuring that the analysis process of the target core dump file is unaffected and effectively analyzing the anomaly cause corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0152] In one possible implementation, the target core dump file is analyzed based on the process file to obtain the target stack data of the target process. Specifically, the process file and the target core dump file can be input into at least one of the first and second debugging tools, and the target core dump file can be analyzed by the first and second debugging tools to obtain the target stack data of the target process.
[0153] The first debugging tool is used to analyze files written in the first programming language, and the second debugging tool is used to analyze files written in either the first or the second programming language. The second programming language is different from the first programming language. The second debugging tool has better performance in analyzing files written in the second programming language than in analyzing files written in the first programming language. The second debugging tool can analyze files written in the second programming language better.
[0154] Specifically, the first programming language can be Go, and the second programming language can be C, C++, or other programming languages. The first debugging tool can be the Delve debugger, which can effectively analyze files written in Go, but cannot debug files written in C, C++, or other programming languages. The second debugging tool can be the gdb debugger, which can effectively analyze files written in C, C++, or other programming languages. gdb can also be used to analyze files written in Go, but it cannot directly access some information in Go, and the readability of the stack information obtained from debugging is poor. In other words, gdb performs better than go in analyzing files written in C, C++, or other programming languages.
[0155] Based on this, under different configurations, the target core dump file can be a file written in a different programming language. Since the first debugging tool can analyze files written in the first programming language, and the second debugging tool can analyze files written in the second programming language, by using at least one of the first and second debugging tools, the target core dump file written in the first or second programming language can be effectively analyzed, thereby improving the accuracy and reliability of the target stack data.
[0156] In one possible implementation, the process file and the target core dump file are input into at least one of a first debugging tool and a second debugging tool. The target core dump file is analyzed by the first debugging tool and the second debugging tool to obtain the target stack data of the target process. Specifically, the process file and the target core dump file are input into the first debugging tool, and the first debugging tool analyzes the target core dump file to obtain a first debugging result. When the first debugging result indicates that the target core dump file is debugged successfully, the target stack data of the target process is determined based on the first debugging result. When the first debugging result indicates that the target core dump file is debugged unsuccessfully, the process file and the target core dump file are input into the second debugging tool, and the target core dump file is analyzed by the second debugging tool to obtain the target stack data of the target process.
[0157] Based on this, target core dump files are typically written in either a first or second programming language. A first debugging tool can be used to analyze these files. Since the first debugging tool can only analyze files written in the first programming language, successful debugging can be used as a criterion for determining the programming language of the target core dump file. Specifically, successful debugging indicates that the target core dump file was written in the first programming language (e.g., no errors during analysis). In this case, accurate target stack data can be determined based on the first debugging result. Conversely, failed debugging indicates that the target core dump file was not written in the first programming language (e.g., errors during analysis). In this case, the target core dump file can be considered to be written in the second programming language. Analyzing the target core dump file using a second debugging tool can then yield accurate target stack data. Therefore, the first debugging result obtained through the first debugging tool can accurately determine the programming language of the target core dump file, thereby improving the accuracy and reliability of the target stack data.
[0158] For example, refer to Figure 5 , Figure 5 This is an optional flowchart illustrating an analysis target core dump file provided in an embodiment of this disclosure.
[0159] The first debugging tool is the Delve debugging tool, and the second debugging tool is the gdb debugging tool. First, the process file and the target core dump file are input into the Delve debugging tool. The Delve debugging tool analyzes the target core dump file to obtain the first debugging result. Then, the first debugging result is used to determine whether the debugging was successful. If the first debugging result indicates that the target core dump file was successfully debugged, it means that the target core dump file was programmed using the Go programming language, and the target stack data is obtained. If the first debugging result indicates that the target core dump file failed to debug, it means that the target core dump file was programmed using programming languages such as C or C++. Then, the process file and the target core dump file are input into the gdb debugging tool, and the gdb debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0160] In one possible implementation, the process file and the target core dump file are input into at least one of a first debugging tool and a second debugging tool. The target core dump file is analyzed by the first debugging tool and the second debugging tool to obtain the target stack data of the target process. Specifically, the process file and the target core dump file are input into the second debugging tool, and the target core dump file is analyzed by the second debugging tool to obtain a second debugging result. When the second debugging result does not contain any keywords related to the first programming language, the target stack data of the target process is determined based on the second debugging result. When the second debugging result contains keywords related to the first programming language, the process file and the target core dump file are input into the first debugging tool, and the target core dump file is analyzed by the first debugging tool to obtain the target stack data of the target process.
[0161] Based on this, target core dump files are typically written in either a first or second programming language. A second debugging tool can be used to analyze these files. Since the second debugging tool can analyze files written in either the first or second programming language, keywords related to the first programming language can be used as criteria to determine the programming language of the target core dump file. Specifically, if the second debugging results do not contain keywords related to the first programming language, it means the target core dump file was written in the second programming language. In this case, accurate target stack data can be determined based on the second debugging results. Conversely, if the second debugging results contain keywords related to the first programming language, it means the target core dump file was written in the first programming language. Analyzing the target core dump file again using the first debugging tool can then yield accurate target stack data. Therefore, the second debugging results obtained through analysis using the second debugging tool can accurately determine the programming language of the target core dump file, thereby improving the accuracy and reliability of the target stack data.
[0162] For example, refer to Figure 6 , Figure 6 This is an alternative flowchart illustrating an embodiment of the analysis target core dump file provided in this disclosure.
[0163] The first debugging tool is the Delve debugging tool, and the second debugging tool is the gdb debugging tool. First, the process file and the target core dump file are input into the gdb debugging tool. The gdb debugging tool analyzes the target core dump file to obtain the second debugging result. Then, it is determined whether the second debugging result contains keywords related to the first programming language. If the second debugging result does not contain keywords related to the first programming language, it means that the target core dump file was programmed in a programming language such as C or C++, and the target stack data is directly obtained. If the second debugging result contains keywords related to the first programming language, it means that the target core dump file was programmed in the Go programming language. The process file and the target core dump file are then input into the Delve debugging tool, and the Delve debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0164] In one possible implementation, the anomaly detection method further includes: performing a hash operation on the target stack data to obtain a target verification value; matching the target verification value with a reference verification value; recording the target stack data to an anomaly detection table when the target verification value is different from the reference verification value, or removing the target stack data when the target verification value is the same as the reference verification value.
[0165] The reference check value is obtained by hashing the stack data corresponding to other agents. The reference check value and the target check value are obtained by the same hash algorithm, which can ensure the reliability of the matching result of the reference check value and the target check value. For example, if the hash algorithm is MD5, the reference check value and the target check value obtained are both MD5 values.
[0166] Based on this, hash operations can yield a fixed-length checksum, meaning the target checksum data is typically small. Compared to directly matching the large target stack data with the corresponding stack data from other agents, matching the smaller target checksum with a reference checksum improves matching efficiency. When the target checksum and the reference checksum are the same, it means the target stack data is duplicated with the stack data from other agents, indicating that the same process in different agents has experienced the same exception. To improve processing efficiency, it is unnecessary to handle the same exception occurring in different agents. Only when the target checksum and the reference checksum are different does it mean the target stack data is not duplicated with the stack data from other agents. In this case, recording the target stack data in the exception detection table helps relevant personnel quickly and accurately analyze the cause of the exception in the target core dump file, thereby further improving the efficiency of exception detection.
[0167] For example, refer again Figure 3 ,like Figure 3 As shown in the core analysis process, the server needs to match the target checksum with the reference checksum during core analysis. Only when the target checksum differs from the reference checksum will the target stack data be recorded in the anomaly detection table, i.e., a core event will be reported, thus achieving process deduplication and a "no duplication" effect. In addition, if an error occurs during core analysis, it will automatically retry. If the retry fails, an alarm message will be generated, achieving automatic retry failure alarm and a "no omission" effect.
[0168] In one possible implementation, the anomaly detection method further includes: obtaining the process log and environment information of the target process, constructing a prompt instruction for suggesting repair code, and concatenating the prompt instruction, process log, environment information, target stack data, and second process information as input to a large language model for content generation to obtain the target code of the target process.
[0169] Therefore, since large language models have a rich reserve of code knowledge, using large language models to perform code repair tasks can infer accurate target code, effectively improve code repair efficiency, and quickly and effectively repair the target process to avoid the recurrence of anomalies.
[0170] Specifically, anomaly detection methods can be applied to anomaly detection systems, as shown in the reference. Figure 7 , Figure 7 This is a schematic diagram of an optional architecture of the anomaly detection system provided in this embodiment. The anomaly detection system may include an access layer, a service layer, a data layer, and external dependencies. The access layer includes an FCD pipeline, a web management terminal, and an agent; the service layer includes a detection service module, a cloud analytics module, and a DAO; and the data layer includes a database system, Kafka, and COS.
[0171] External dependencies include the service management module, configuration center, environment management module, CMDB, and unified agent. Specifically, the cloud analytics module and detection service module are both microservice modules that can be registered with the service management module and addressed through it, enabling the server to support rapid scaling and providing high availability and disaster recovery capabilities. Reference process names and alarm responsibilities can be configured in the configuration center, and the environment management module can be used to manage environment information. The CMDB can be used to query alarm responsibilities and push alarm information to them. The unified agent is the framework for the agent.
[0172] The complete process of the anomaly detection method is described in detail below.
[0173] The following describes the processing flow of the target proxy, referring to... Figure 8 and Figure 9 , Figure 8 This is a schematic diagram of an optional timing diagram of the anomaly detection method provided in an embodiment of this disclosure. Figure 9 This is an optional flowchart of a target agent provided in an embodiment of this disclosure.
[0174] First, the target agent periodically acquires information about running processes. That is, the target agent can collect the first process information and establish a soft link to the process. If the target agent's local memory has recorded the first process information before detecting that the target core dump file has been stored, the target agent can query the process file based on the first process information. However, if the target agent's local memory has not recorded the first process information, it cannot query the process file based on the first process information. The target agent can be any one of multiple agents, and all agents communicate with the server.
[0175] Meanwhile, the target agent can obtain environmental information and detect the target core dump file, i.e., perform core detection. When the target core dump file is detected, i.e. when the target core dump file is found, the status of the core detection task will be written through DAO, and the first process information of the target process will be queried in the target agent based on the target core dump file.
[0176] Then, when no information about the first process is found, the target agent generates a query request based on the target process name; sends the query request to the server so that the server can match the target process name with each candidate process name, and query the second process information of the target process from each candidate process information based on the matching results; and receives the second process information sent by the server, wherein the second process information is collected by other agents and uploaded to the server's database system, and the other agents are the agents other than the target agent among multiple agents.
[0177] Then, based on the second process information, the process file of the target process is queried in the target agent. After obtaining the process file, assuming the target core dump file is abbreviated as core, the core and process file will be moved to a temporary working directory, and an alarm will be issued if the move fails.
[0178] Then, the target agent queries all stored core dump files for historical core dump files based on the first time point when the target core dump file is stored. The second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to a preset interval threshold. When a historical core dump file is found, the target process name is matched with the historical process names included in the historical core dump file to determine whether there is a duplicate. If there is a duplicate, the working directory is deleted.
[0179] Then, when the target process name is different from the historical process name, i.e., it is not repeated, the process log of the target process is queried in the target agent based on the second process information, and the process log is also sent to the server so that the server can generate a second access link for downloading the process log; at the same time, the environment information is sent to the server's database system through a write task, and an alarm will be issued when the write fails.
[0180] Simultaneously, the target agent packages the working directory, obtaining the packaging result. If the attempt fails, the task status is updated to "failed" and an alert is issued. The packaged result is then uploaded to the server's COS, essentially sending the target core dump file and process files to the server. This allows the server to generate a first access link for accessing the target core dump file and process files. Upon successful upload, the core task status is updated via DAO. If the upload fails, the task status is updated to "retryable." If a retry fails, an alert is issued. For example, if the first access link from the server is not received, the target core dump file and process files are uploaded to the server again. If the first access link from the server is still not received, an alert message is generated.
[0181] Then, when the first access link returned by the server is received, the target proxy obtains the reference process name of the reference process, where the reference process is a process unrelated to the target business. The target process name is matched with the reference process name, which is equivalent to determining whether the target process belongs to the blacklist process. When the target process name is different from the reference process name, that is, the target process does not belong to the blacklist process, a core event is generated based on the first access link. When the target process belongs to the blacklist process, the status of the update task is "detection ignored". If the relevant personnel confirm that it is ignored, the working directory will be deleted. If the relevant personnel confirm that it is not ignored, an alarm will be issued.
[0182] Then, it checks whether the process file exists locally on the target agent. If the process file exists, the task status is updated to success. If the process file does not exist, the task status is updated to ignore detection. If the ignore detection is confirmed by relevant personnel, the working directory is deleted. If the ignore detection is confirmed by relevant personnel, an alarm is issued. The case where the process file does not exist specifically means that when querying the process file, it is not necessary to consider whether the process file exists. If it exists, the process file is moved to the working directory. If it does not exist, the flag used to identify the process file is moved to the working directory.
[0183] Then, the target agent writes the core event to the Kafka message queue and deletes the working directory, which is equivalent to sending the core event to the server. The server then analyzes the target core dump file based on the process file to obtain the target stack data of the target process. The target stack data is used to determine the cause of the abnormality of the target process.
[0184] Additionally, when the first process information is retrieved, the process file is queried in the target agent based on the first process information. Core events are generated based on the target core dump file and the process file. The first process information is collected by the target agent and uploaded to the server so that the server can store the first process information as candidate process information. That is, the target agent will periodically obtain the running process information and establish process soft links; and send core events to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data.
[0185] The following describes the server-side processing flow, please refer to [link / reference] again. Figure 8 and refer to Figure 10 , Figure 10 This is a schematic diagram of an optional process for a server provided in an embodiment of this disclosure.
[0186] First, when the target agent detects that the target core dump file has been stored, and the first process information of the target process is not found in the target agent based on the target core dump file, the second process information of the target process is queried based on the target core dump file, and the second process information is sent to the target agent. The target agent can be any one of multiple agents, and all multiple agents communicate with the server. The second process information is collected and uploaded to the server by other agents, which are agents other than the target agent.
[0187] Then, when Kafka messages arrive, the server can consume individual messages sequentially. When consuming core events, i.e., receiving core events sent by the target broker, the server will write the status of the analysis task through the DAO, i.e., create the analysis task. After successful writing, the working directory will be initialized, and an alarm will be triggered if the writing fails. The core events are generated by the target broker based on the target core dump file and the process file of the target process. The process file is obtained by the target broker from the target broker based on the second process information of the target process.
[0188] Then, the server will respond to the core event and pull the packaged result containing the target core dump file and process files from COS, i.e., pull the core. When the pull fails, the task status will be updated to retryable. If the retry fails, an alarm will be issued.
[0189] Then, the server decompresses the packaged result to obtain the target core dump file and process file. The process file and target core dump file are input into at least one of the first and second debugging tools. The target core dump file is analyzed by the first and second debugging tools to obtain the target stack data of the target process, i.e., core analysis is performed to obtain the stack. If the stack is successfully obtained, the working directory is deleted; if the stack is not successfully obtained, the task status is updated to failure. The target stack data is used to determine the cause of the abnormality of the target process.
[0190] Then, the server performs a hash operation on the target stack trace data to obtain the target checksum. The target checksum is then matched with a reference checksum to determine if it is a duplicate stack trace. The reference checksum is obtained by hashing the stack trace data of other agents. When the target checksum is different from the reference checksum, it means that it is not a duplicate stack trace, and the target stack trace data is recorded in the anomaly detection table. When the target checksum is the same as the reference checksum, it means that it is a duplicate stack trace, the target stack trace data is removed, and the task status is updated to ignore. The process ends when relevant personnel confirm that it is ignored, and an alarm is triggered when relevant personnel confirm that it is not ignored.
[0191] To improve computational efficiency, suppose the server performs a hash operation on the target stack data, but only performs a partial hash operation on the target stack data. It also needs to perform a hash operation on a partial data of the stack data corresponding to other agents to obtain a reference verification value. In this case, when it is determined that it is not a duplicate stack, the server needs to obtain the complete target stack data. If the retrieval fails, the task status will be updated to failure.
[0192] Then, the target stack data is reported to the detection service module on the server side, that is, the analysis results are reported to the detection service module. When the report is successful, the working directory is deleted and the task status is updated to success. When the report fails, the task status is updated to retryable. When the retry fails, an alarm is issued. Specifically, the status of the core task is updated through DAO.
[0193] Based on this, when the target agent detects that the target core dump file has been stored, i.e., when an anomaly occurs, it first queries the first process information of the target process in the target agent. If the first process information is not found, it then queries the server for the second process information about the target process collected and uploaded by other agents, based on the target core dump file. The second process information is then used to query the process file of the target process in the target agent, enabling rapid retrieval of the process file. The core events generated based on the target core dump file and the process file are then sent to the server. The server then analyzes the target core dump file based on the process file to obtain target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, relying on the server to supplement the second process information ensures that the process file query process is not affected. This avoids the inability to retrieve the process file due to the lack of first process information, thus ensuring that the analysis process of the target core dump file is unaffected and effectively analyzing the anomaly cause corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0194] It is understood that although the steps in the above flowcharts are shown sequentially according to the arrows, these steps are not necessarily executed in the order indicated by the arrows. Unless explicitly stated in this embodiment, there is no strict order restriction on the execution of these steps, and they can be executed in other orders. Moreover, at least some steps in the above flowcharts may include multiple steps or multiple stages. These steps or stages are not necessarily completed at the same time, but can be executed at different times. The execution order of these steps or stages is not necessarily sequential, but can be performed alternately or in turn with other steps or at least some of the steps or stages in other steps.
[0195] Reference Figure 11 , Figure 11 This is a schematic diagram of an optional structure of the anomaly detection device 1100 provided in an embodiment of the present disclosure. The anomaly detection device 1100 includes:
[0196] The first query module 1101 is used to query the first process information of the target process in the target agent based on the target core dump file when the target core dump file is detected to be stored. The target agent can be any one of multiple agents, and all multiple agents communicate with the server.
[0197] The second query module 1102 is used to query the second process information of the target process from the server based on the target core dump file when the first process information is not found. The second process information is collected and uploaded to the server by other agents. The other agents are agents other than the target agent among multiple agents.
[0198] The generation module 1103 is used to query the process file of the target process in the target agent based on the second process information, and generate core events based on the target core dump file and the process file.
[0199] The sending module 1104 is used to send core events to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process. The target stack data is used to determine the cause of the abnormality of the target process.
[0200] Furthermore, the target core dump file includes the target process name, and the server stores information on multiple candidate processes, including the candidate process names. The second query module 1102 is specifically used for:
[0201] Generate a query request based on the target process name;
[0202] Send a query request to the server so that the server can match the target process name with each candidate process name and query the second process information of the target process from the candidate process information based on the matching results;
[0203] Receive the second process information sent by the server.
[0204] Furthermore, the aforementioned anomaly detection device also includes a first processing module (not shown in the figure), which is specifically used for:
[0205] When the first process information is found, the process file is queried in the target agent based on the first process information. Core events are generated based on the target core dump file and the process file. The first process information is collected by the target agent and uploaded to the server so that the server can store the first process information as candidate process information.
[0206] Send core events to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data.
[0207] Furthermore, the aforementioned generation module 1103 is specifically used for:
[0208] Send the target core dump file and process file to the server so that the server can generate the first access link to access the target core dump file and process file;
[0209] When the first access link returned by the server is received, a core event is generated based on the first access link.
[0210] Furthermore, the target core dump file includes the target process name of the target process, and the aforementioned generation module 1103 is specifically used for:
[0211] Obtain the name of the reference process, where the reference process is a process unrelated to the target business.
[0212] The target process name is matched with the reference process name. When the target process name and the reference process name are different, a core event is generated based on the first access link.
[0213] Furthermore, the aforementioned anomaly detection device also includes a recording module (not shown in the figure), which is specifically used for:
[0214] Based on the second process information, query the process log of the target process in the target agent and send the process log to the server so that the server can generate a second access link for downloading the process log;
[0215] Obtain the target process's environment information and send it to the server so that the server can associate and record the first access link, the second access link, the second process information, and the environment information.
[0216] Furthermore, the aforementioned anomaly detection device also includes an alarm module (not shown in the figure), which is specifically used for:
[0217] If the first access link is not received from the server, the target core dump file and process file are sent to the server again.
[0218] An alarm message is generated if the first access link returned by the server is not received by then.
[0219] Furthermore, the target core dump file includes the target process name of the target process, and the aforementioned generation module 1103 is specifically used for:
[0220] Based on the first time point when the target core dump file is stored, query the historical core dump files among all the stored core dump files. The second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to a preset interval threshold.
[0221] When historical core dump files are retrieved, the target process name is matched with the historical process names included in the historical core dump files;
[0222] When the target process name is different from the historical process name, core events are generated based on the target core dump file and the process file.
[0223] The aforementioned anomaly detection device 1100 and the anomaly detection method executed by the target agent are based on the same inventive concept. When an anomaly is detected by storing the target core dump file, the device first queries the first process information of the target process in the target agent. If the first process information is not found, it queries the server for second process information about the target process collected and uploaded by other agents based on the target core dump file. Then, it queries the process file of the target process in the target agent using the second process information, which can quickly retrieve the process file. The core events generated based on the target core dump file and the process file are then sent to the server, allowing the server to analyze the target core dump file based on the process file, thereby obtaining target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, the server supplements the second process information, so that the process file query process is not affected. This avoids the inability to retrieve the process file due to the lack of first process information, thus ensuring that the analysis process of the target core dump file is not affected, effectively analyzing the cause of the anomaly corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0224] Reference Figure 12 , Figure 12 This is another optional structural diagram of the anomaly detection device 1200 provided in the embodiments of this disclosure, which includes:
[0225] The third query module 1201 is used to query the second process information of the target process based on the target core dump file when the target agent detects that the target core dump file has been stored and the first process information of the target process is not found in the target agent based on the target core dump file, and send the second process information to the target agent. The target agent can be any one of multiple agents, and all multiple agents communicate with the server. The second process information is collected and uploaded to the server by other agents. The other agents are agents other than the target agent.
[0226] The receiving module 1202 is used to receive core events sent by the target agent. The core events are generated by the target agent based on the target core dump file and the process file of the target process. The process file is obtained by the target agent by querying the target agent based on the second process information of the target process.
[0227] Analysis module 1203 is used to respond to core events and analyze the target core dump file based on the process file to obtain the target stack data of the target process. The target stack data is used to determine the cause of the abnormality of the target process.
[0228] Furthermore, the aforementioned analysis module 1203 is specifically used for:
[0229] The process file and the target core dump file are input into at least one of the first and second debugging tools. The target core dump file is analyzed by at least one of the first and second debugging tools to obtain the target stack data of the target process.
[0230] The first debugging tool is used to analyze files written in the first programming language, and the second debugging tool is used to analyze files written in either the first or the second programming language. The second programming language is different from the first programming language. The second debugging tool has better performance in analyzing files written in the second programming language than in analyzing files written in the first programming language.
[0231] Furthermore, the aforementioned analysis module 1203 is specifically used for:
[0232] The process file and the target core dump file are input into the first debugging tool. The first debugging tool analyzes the target core dump file to obtain the first debugging result.
[0233] When the first debugging result indicates that the target core dump file has been successfully debugged, the target stack data of the target process is determined based on the first debugging result.
[0234] When the first debugging result indicates that debugging the target core dump file fails, the process file and the target core dump file are input into the second debugging tool. The second debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0235] Furthermore, the aforementioned analysis module 1203 is specifically used for:
[0236] The process file and the target core dump file are input into the second debugging tool. The target core dump file is analyzed by the second debugging tool to obtain the second debugging result.
[0237] When the second debugging result does not contain any keywords related to the first programming language, the target stack data of the target process is determined based on the second debugging result.
[0238] When the second debugging result contains keywords related to the first programming language, the process file and the target core dump file are input into the first debugging tool. The first debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
[0239] Furthermore, the aforementioned anomaly detection device also includes a second processing module (not shown in the figure), which is specifically used for:
[0240] The target stack data is hashed to obtain the target verification value;
[0241] The target verification value is matched with the reference verification value, which is obtained by hashing the stack data of other agents.
[0242] When the target check value is different from the reference check value, the target stack data is recorded in the anomaly detection table; or, when the target check value is the same as the reference check value, the target stack data is removed.
[0243] The aforementioned anomaly detection device 1200 and the anomaly detection method executed by the server are based on the same inventive concept. When an anomaly is detected by storing a target core dump file, the device first queries the first process information of the target process in the target agent. If the first process information is not found, the device then queries the server for second process information about the target process collected and uploaded by other agents, based on the target core dump file. The second process information is then used to query the process file of the target process in the target agent, enabling the process file to be quickly retrieved. The core events generated based on the target core dump file and the process file are then sent to the server, allowing the server to analyze the target core dump file based on the process file. This yields target stack data used to determine the cause of the anomaly. Therefore, when an anomaly occurs but the target agent has not yet recorded the first process information, the server supplements the second process information, ensuring that the process file query process is not affected. This avoids the inability to retrieve the process file due to the lack of first process information, thus ensuring that the analysis process of the target core dump file is not affected and effectively analyzing the cause of the anomaly corresponding to the target core dump file, thereby improving the reliability of anomaly detection.
[0244] The electronic device provided in this embodiment for performing the above-described anomaly detection method can be a terminal, which can serve as the aforementioned target proxy terminal, as described above. Figure 13 , Figure 13 This is a partial structural block diagram of a terminal provided in an embodiment of the present disclosure. The terminal includes: a camera assembly 1310, a first memory 1320, an input unit 1330, a display unit 1340, a sensor 1350, an audio circuit 1360, a wireless fidelity (WiFi) module 1370, a first processor 1380, and a first power supply 1390, among other components. Those skilled in the art will understand that... Figure 13 The terminal structure shown does not constitute a limitation on the terminal and may include more or fewer components than shown, or combine certain components, or have different component arrangements.
[0245] The camera assembly 1310 can be used to capture images or videos. Optionally, the camera assembly 1310 includes a front-facing camera and a rear-facing camera. Typically, the front-facing camera is located on the front panel of the terminal, and the rear-facing camera is located on the back of the terminal. In some embodiments, there are at least two rear-facing cameras, which are any one of a main camera, a depth-sensing camera, a wide-angle camera, and a telephoto camera, to achieve background blurring by fusion of the main camera and the depth-sensing camera, panoramic shooting by fusion of the main camera and the wide-angle camera, VR (Virtual Reality) shooting, or other fusion shooting functions.
[0246] The first memory 1320 can be used to store software programs and modules. The first processor 1380 executes various functional applications and data processing of the terminal by running the software programs and modules stored in the first memory 1320.
[0247] The input unit 1330 can be used to receive input numeric or character information, and to generate key signal inputs related to the terminal's settings and function control. Specifically, the input unit 1330 may include a touch panel 1331 and other input devices 1332.
[0248] Display unit 1340 can be used to display input or provided information, as well as various menus of the terminal. Display unit 1340 may include display panel 1341.
[0249] Audio circuitry 1360, speaker 1361, and microphone 1362 provide an audio interface.
[0250] The first power source 1390 can be AC power, DC power, a disposable battery, or a rechargeable battery.
[0251] The number of sensors 1350 can be one or more, and these sensors 1350 include, but are not limited to: accelerometers, gyroscopes, pressure sensors, optical sensors, etc.
[0252] An accelerometer can detect the magnitude of acceleration along the three coordinate axes of a coordinate system established by the terminal. For example, an accelerometer can be used to detect the components of gravitational acceleration along the three coordinate axes. The first processor 1380 can control the display unit 1340 to display the user interface in either a horizontal or vertical view based on the gravitational acceleration signal acquired by the accelerometer. The accelerometer can also be used for collecting motion data from games or other applications.
[0253] The gyroscope sensor can detect the terminal's orientation and rotation angle. It can work in conjunction with an accelerometer to collect 3D user movements on the terminal. Based on the data collected by the gyroscope sensor, the first processor 1380 can perform the following functions: motion sensing (e.g., changing the UI based on the user's tilt), image stabilization during shooting, game control, and inertial navigation.
[0254] The pressure sensor can be installed on the side bezel of the terminal and / or on the lower layer of the display unit 1340. When the pressure sensor is installed on the side bezel of the terminal, it can detect the user's grip signal on the terminal, and the first processor 1380 can perform left / right hand recognition or quick operation based on the grip signal collected by the pressure sensor. When the pressure sensor is installed on the lower layer of the display unit 1340, the first processor 1380 can control the operable controls on the UI interface based on the user's pressure operation on the display unit 1340. The operable controls include at least one of button controls, scroll bar controls, icon controls, and menu controls.
[0255] An optical sensor is used to collect ambient light intensity. In one embodiment, the first processor 1380 can control the display brightness of the display unit 1340 based on the ambient light intensity collected by the optical sensor. Specifically, when the ambient light intensity is high, the display brightness of the display unit 1340 is increased; when the ambient light intensity is low, the display brightness of the display unit 1340 is decreased. In another embodiment, the first processor 1380 can also dynamically adjust the shooting parameters of the camera assembly 1310 based on the ambient light intensity collected by the optical sensor.
[0256] In this embodiment, the first processor 1380 included in the terminal can execute the anomaly detection method of the previous embodiment.
[0257] The electronic device provided in this embodiment for performing the above-described anomaly detection method can also be a server, which can serve as the aforementioned server-side component, as described above. Figure 14 , Figure 14This is a partial structural block diagram of a server provided in an embodiment of the present disclosure. The server can vary significantly due to different configurations or performance. It may include one or more second processors 1410 and second memories 1430, and one or more storage media 1440 (e.g., one or more mass storage devices) for storing application programs 1443 or data 1442. The second memories 1430 and storage media 1440 can be temporary or persistent storage. The program stored in the storage media 1440 may include one or more modules (not shown in the diagram), each module including a series of instruction operations on the server. Furthermore, the second processor 1410 may be configured to communicate with the storage media 1440 and execute the series of instruction operations stored in the storage media 1440 on the server.
[0258] The server may also include one or more secondary power supplies 1420, one or more wired or wireless network interfaces 1450, one or more input / output interfaces 1460, and / or one or more operating systems 1441, such as Windows Server™, Mac OS X™, Unix™, Linux™, FreeBSD™, etc.
[0259] The second processor 1410 in the server can be used to execute anomaly detection methods.
[0260] This disclosure also provides a computer-readable storage medium for storing a computer program for executing the anomaly detection methods of the foregoing embodiments.
[0261] This disclosure also provides a computer program product comprising a computer program stored in a computer-readable storage medium. A processor of a computer device reads the computer program from the computer-readable storage medium and executes the computer program, causing the computer device to perform the above-described anomaly detection method.
[0262] The terms “first,” “second,” “third,” “fourth,” etc. (if present) in this disclosure and the foregoing drawings are used to distinguish similar objects and are not necessarily used to describe a particular order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this disclosure described herein can be implemented, for example, in orders other than those illustrated or described herein. Furthermore, the terms “comprising” and “having,” and any variations thereof, are intended to cover a non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatuses.
[0263] It should be understood that in this disclosure, "at least one item" means one or more, and "more than one" means two or more. "And / or" is used to describe the relationship between related objects, indicating that three relationships can exist. For example, "A and / or B" can represent three cases: only A exists, only B exists, and both A and B exist simultaneously, where A and B can be singular or plural. The character " / " generally indicates that the preceding and following related objects are in an "or" relationship. "At least one of the following" or similar expressions refer to any combination of these items, including any combination of single or plural items. For example, at least one of a, b, or c can represent: a, b, c, "a and b", "a and c", "b and c", or "a and b and c", where a, b, and c can be single or multiple.
[0264] It should be understood that in the description of the embodiments of this disclosure, "multiple" means two or more, "greater than", "less than", "exceeding" etc. are understood to exclude the number itself, and "above", "below", "within" etc. are understood to include the number itself.
[0265] In the several embodiments provided in this disclosure, it should be understood that the disclosed systems, apparatuses, and methods can be implemented in other ways. For example, the apparatus embodiments described above are merely illustrative; for instance, the division of units is only a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the coupling or direct coupling or communication connection shown or discussed may be through some interfaces, indirect coupling or communication connection between apparatuses or units, and may be electrical, mechanical, or other forms.
[0266] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.
[0267] Furthermore, the functional units in the various embodiments of this disclosure can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.
[0268] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this disclosure, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this disclosure. The aforementioned storage medium includes various media capable of storing program code, such as USB flash drives, portable hard drives, read-only memory (ROM), random access memory (RAM), magnetic disks, or optical disks.
[0269] It should also be understood that the various implementation methods provided in this disclosure can be combined arbitrarily to achieve different technical effects.
[0270] The above is a detailed description of the preferred embodiments of this disclosure. However, this disclosure is not limited to the above embodiments. Those skilled in the art can make various equivalent modifications or substitutions without departing from the spirit of this disclosure. All such equivalent modifications or substitutions are included within the scope defined by the claims of this disclosure.
Claims
1. An anomaly detection method, characterized in that, include: When the storage of the target core dump file is detected, the first process information of the target process is queried in the target agent based on the target core dump file. The target agent can be any one of multiple agents, and all of the multiple agents communicate with the server. When the first process information is not found, the second process information of the target process is queried from the server based on the target core dump file. The second process information is collected and uploaded to the server by other agents. The other agents are agents other than the target agent among the plurality of agents. Based on the second process information, query the process file of the target process in the target agent, and generate core events based on the target core dump file and the process file; The core event is sent to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the abnormality of the target process.
2. The anomaly detection method according to claim 1, characterized in that, The target core dump file includes the target process name of the target process. The server stores information on multiple candidate processes, including the candidate process names of the candidate processes. The step of querying the server for the second process information of the target process based on the target core dump file includes: Generate a query request based on the target process name; The query request is sent to the server so that the server can match the target process name with each of the candidate process names and query the second process information of the target process from each of the candidate process information based on the matching results. Receive the second process information sent by the server.
3. The anomaly detection method according to claim 2, characterized in that, The anomaly detection method further includes: When the first process information is retrieved, the process file is queried in the target agent based on the first process information, and the core event is generated based on the target core dump file and the process file. The first process information is collected by the target agent and uploaded to the server so that the server can store the first process information as the candidate process information. The core event is sent to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data.
4. The anomaly detection method according to claim 1, characterized in that, The generation of core events based on the target core dump file and the process file includes: The target core dump file and the process file are sent to the server so that the server can generate a first access link for accessing the target core dump file and the process file. When the first access link returned by the server is received, a core event is generated based on the first access link.
5. The anomaly detection method according to claim 4, characterized in that, The target core dump file includes the target process name of the target process, and the generation of core events based on the first access link includes: Obtain the name of the reference process, wherein the reference process is a process unrelated to the target business; The target process name is matched with the reference process name. When the target process name is different from the reference process name, a core event is generated based on the first access link.
6. The anomaly detection method according to claim 4, characterized in that, The anomaly detection method further includes: Based on the second process information, the target agent queries the process log of the target process and sends the process log to the server so that the server can generate a second access link for downloading the process log. The environment information of the target process is obtained and sent to the server so that the server can associate and record the first access link, the second access link, the second process information and the environment information.
7. The anomaly detection method according to claim 4, characterized in that, After sending the target core dump file and the process file to the server, the anomaly detection method further includes: If the first access link returned by the server is not received, the target core dump file and the process file are sent to the server again. If the first access link is still not received from the server, an alarm message is generated.
8. The anomaly detection method according to claim 1, characterized in that, The target core dump file includes the target process name of the target process, and the generation of core events based on the target core dump file and the process file includes: Based on the first time point when the target core dump file is stored, query historical core dump files among all stored core dump files, wherein the second time point when the historical core dump file is stored is before the first time point, and the time interval between the second time point and the first time point is less than or equal to a preset interval threshold. When the historical core dump file is retrieved, the target process name is matched with the historical process names included in the historical core dump file; When the target process name is different from the historical process name, a core event is generated based on the target core dump file and the process file.
9. An anomaly detection method, characterized in that, include: When the target proxy detects that the target core dump file has been stored, and the first process information of the target process is not found in the target proxy based on the target core dump file, the second process information of the target process is queried based on the target core dump file, and the second process information is sent to the target proxy. The target proxy can be any one of multiple proxy clients, and all of the multiple proxy clients communicate with the server. The second process information is collected and uploaded to the server by other proxy clients, and the other proxy clients are proxy clients other than the target proxy client among the multiple proxy clients. Receive core events sent by the target agent, wherein the core events are generated by the target agent based on the target core dump file and the process file of the target process, and the process file is obtained by the target agent by querying the target agent based on the second process information of the target process. In response to the core event, the target core dump file is analyzed based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the anomaly of the target process.
10. The anomaly detection method according to claim 9, characterized in that, The analysis of the target kernel dump file based on the process file to obtain the target stack data of the target process includes: The process file and the target core dump file are input into at least one of the first and second debugging tools. The target core dump file is analyzed by at least one of the first and second debugging tools to obtain the target stack data of the target process. The first debugging tool is used to analyze files written in a first programming language, and the second debugging tool is used to analyze files written in either the first or a second programming language, wherein the second programming language is different from the first programming language, and the second debugging tool has better analysis performance for files written in the second programming language than for files written in the first programming language.
11. The anomaly detection method according to claim 10, characterized in that, The process file and the target core dump file are input into at least one of a first debugging tool and a second debugging tool. The target core dump file is analyzed by at least one of the first debugging tool and the second debugging tool to obtain the target stack data of the target process, including: The process file and the target core dump file are input into the first debugging tool, and the target core dump file is analyzed by the first debugging tool to obtain the first debugging result; When the first debugging result indicates that the target core dump file has been successfully debugged, the target stack data of the target process is determined based on the first debugging result. When the first debugging result indicates that the debugging of the target core dump file has failed, the process file and the target core dump file are input into the second debugging tool. The second debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
12. The anomaly detection method according to claim 10, characterized in that, The process file and the target core dump file are input into at least one of a first debugging tool and a second debugging tool. The target core dump file is analyzed by at least one of the first debugging tool and the second debugging tool to obtain the target stack data of the target process, including: The process file and the target core dump file are input into the second debugging tool, and the target core dump file is analyzed by the second debugging tool to obtain the second debugging result; When the second debugging result does not contain any keywords related to the first programming language, the target stack data of the target process is determined based on the second debugging result; When the second debugging result contains keywords related to the first programming language, the process file and the target core dump file are input into the first debugging tool. The first debugging tool analyzes the target core dump file to obtain the target stack data of the target process.
13. The anomaly detection method according to claim 9, characterized in that, The anomaly detection method further includes: The target stack data is hashed to obtain the target verification value; The target verification value is matched with a reference verification value, wherein the reference verification value is obtained by hashing the stack data corresponding to the other agent ends; When the target check value is different from the reference check value, the target stack data is recorded in the anomaly detection table; or, when the target check value is the same as the reference check value, the target stack data is removed.
14. An anomaly detection device, characterized in that, include: The first query module is used to query the first process information of the target process in the target agent based on the target core dump file when the target core dump file is detected to be stored. The target agent is any one of multiple agents, and all of the multiple agents communicate with the server. The second query module is used to query the server for the second process information of the target process based on the target core dump file when the first process information is not found. The second process information is collected and uploaded to the server by other agents, and the other agents are agents other than the target agent among the plurality of agents. The generation module is used to query the process file of the target process in the target agent based on the second process information, and generate core events based on the target core dump file and the process file; The sending module is used to send the core event to the server so that the server can analyze the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the abnormality of the target process.
15. An anomaly detection device, characterized in that, include: The third query module is used to query the second process information of the target process based on the target core dump file when the target agent detects that the target core dump file has been stored, and the first process information of the target process is not found in the target agent based on the target core dump file, and send the second process information to the target agent. The target agent can be any one of multiple agents, and all of the multiple agents communicate with the server. The second process information is collected and uploaded to the server by other agents, and the other agents are agents other than the target agent among the multiple agents. The receiving module is used to receive core events sent by the target agent, wherein the core events are generated by the target agent based on the target core dump file and the process file of the target process, and the process file is obtained by the target agent by querying the target agent based on the second process information of the target process. An analysis module is used to respond to the core event by analyzing the target core dump file based on the process file to obtain the target stack data of the target process, wherein the target stack data is used to determine the cause of the anomaly of the target process.
16. An electronic device comprising a memory and a processor, wherein the memory stores a computer program, characterized in that, When the processor executes the computer program, it implements the anomaly detection method according to any one of claims 1 to 13.
17. A computer-readable storage medium storing a computer program, characterized in that, When the computer program is executed by the processor, it implements the anomaly detection method according to any one of claims 1 to 13.
18. A computer program product, comprising a computer program, characterized in that, When the computer program is executed by the processor, it implements the anomaly detection method according to any one of claims 1 to 13.