Thread Interception and Analysis

Abstract

Apparatus and methods for intercepting and analyzing threads are disclosed. In one embodiment, a thread data recorder is configured to instrument one or more existing functions by modifying computer executable instructions in the functions to intercept threads calling the functions. In one possible implementation, the number of existing functions instrumented can be reduced by instrumenting choke point functions. The instrumented functions can also capture data associated with the threads as the threads execute at the function. This data can be saved to memory and compressed into logs. In one aspect, the data can be saved and/or compressed at a time when processor resources are being used at or below a predetermined level. The captured data can be used to analyze a functioning of a computer system in which the threads were produced.

Description

BRIEF DESCRIPTION OF THE DRAWINGS

The detailed description is described with reference to the accompanying figures. In the figures, the left-most digit(s) of a reference number identifies the figure in which the reference number first appears. The same numbers are used throughout the drawings to reference like features and components.

FIG. 1 illustrates an exemplary network environment in which one or more threads are generated.

FIG. 2 illustrates an exemplary architecture for intercepting threads and capturing data associated with the threads.

FIG. 3 illustrates an exemplary computing-based device for intercepting threads and capturing data associated with the threads.

FIG. 4 illustrates an exemplary logical representation of an event block.

FIG. 5 illustrates an exemplary physical representation of an event block collection.

FIG. 6 illustrates an exemplary collection server.

FIG. 7 illustrates an exemplary analyzing server.

FIG. 8 illustrates an exemplary representation of one or more activity bursts.

FIG. 9 illustrates exemplary method(s) for intercepting threads and capturing data associated with the threads.

FIG. 10 illustrates exemplary method(s) for adding normalized events to an ordered event stream.

FIG. 11 illustrates exemplary method(s) for detecting leaked entries.

FIG. 12 illustrates exemplary method(s) for detecting common misconfigurations.

FIG. 13 illustrates exemplary method(s) for detecting one or more extensibility points.

FIG. 14 illustrates exemplary method(s) for analyzing one or more activity bursts.

FIG. 15 illustrates exemplary method(s) for prohibiting the execution of unauthorized interactions.

FIG. 16 illustrates exemplary method(s) for detecting rogue programs.

FIG. 17 illustrates an exemplary computer environment.

Claims

1. A system, comprising: at least one processor;one or more functions operating on the system; anda thread data recorder configured to instrument the one or more functions, such that the one or more functions: intercept threads calling the one or more functions; andcapture data associated with the intercepted threads.

2. A system of claim 1, wherein the thread data recorder is configured to instrument the one or more functions by modifying computer executable instructions in each of the one or more functions.

3. A system of claim 1, wherein the thread data recorder is configured to instrument the one or more functions at a start up of the system.

4. A system of claim 1, wherein the one or more functions include choke point functions.

5. A system of claim 1, wherein the thread data recorder comprises: a duplicating module configured to duplicate data associated with the intercepted threads; anda directing module configured to direct a user daemon to effect compression of the duplicated data.

6. A system of claim 5, wherein the directing module is further configured to direct the user daemon to effect compression of the duplicated data when at least one of: resources of the processor are being used at or below a predetermined level;a predetermined time.

7. A method comprising: instrumenting an existing function to intercept a thread calling the existing function and capture data associated with the thread; andcopying the captured data associated with the thread

8. A method of claim 7, her comprising: accessing data regarding a program issuing the thread; andaccessing a time at which an interaction associated with the thread is performed by the existing function.

9. A method of claim 7, further comprising: examining at least a portion of the data associated with the thread for an identifier of a program; andcomparing the identifier of the program against a list of identifiers of known unwarranted programs.

10. A method of claim 9, wherein comparing comprises removing the program if the identifier of the program matches an identifier of a known unwarranted program.

11. A method of claim 7, further comprising compressing the data associated with the thread.

12. A method of claim 11, further comprising periodically uploading the compressed data to an analyzing server

13. One or more computer readable media comprising computer executable instructions that, when executed, perform acts comprising: receiving one or more related interactions, the one or more related interactions occurring in one or more threads; andgrouping the one or more related interactions into an activity burst.

14. One or more computer readable media as recited in claim 13, further comprising computer executable instructions that, when executed, perform additional acts comprising: assigning similar signatures to activity bursts having similar interactions to uniquely identify the activity bursts as being similarcalculating the similar signatures by processes comprising: hashing file paths; andhashing identifiers of activity types.

15. One or more computer readable media as recited in claim 13, her comprising computer executable instructions that, when executed, perform additional acts comprising, assigning a same signature to activity bursts including interactions with temporary files.

16. One or more computer readable media as recited in claim 13, further comprising computer executable instructions that, when executed, perform additional acts comprising generating a data collection, wherein the data collection includes a listing of one or more activity bursts sorted by respective signatures of the one or more activity bursts.

17. One or more computer readable media as recited in claim 13, further comprising computer executable instructions that, when executed, perform additional acts comprising prohibiting the execution of an unauthorized interaction.

18. One or more computer readable media as recited in claim 13, wherein the interactions include: reading from a memory;writing to a memory;changing a setting;executing an application.

19. One or more computer readable media as recited in claim 13, wherein grouping comprises grouping related interactions on the basis of at least one of: a time associated with the interactions;a user associated with the interactions;a program associated with the interactions.

20. One or more computer readable media as recited in claim 13, further comprising computer executable instructions that, when executed, perform additional acts comprising identifying the presence of an unwarranted program by detecting an occurrence of a signature associated with an activity burst corresponding to the unwarranted program.