CN113504971A - Container-based security interception method and system - Google Patents
Container-based security interception method and system Download PDFInfo
- Publication number
- CN113504971A CN113504971A CN202110817962.6A CN202110817962A CN113504971A CN 113504971 A CN113504971 A CN 113504971A CN 202110817962 A CN202110817962 A CN 202110817962A CN 113504971 A CN113504971 A CN 113504971A
- Authority
- CN
- China
- Prior art keywords
- container
- information
- target container
- target
- based security
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000000034 method Methods 0.000 title claims abstract description 60
- 230000006399 behavior Effects 0.000 claims abstract description 125
- 238000012544 monitoring process Methods 0.000 claims abstract description 19
- 230000008859 change Effects 0.000 claims description 7
- 238000002347 injection Methods 0.000 claims description 6
- 239000007924 injection Substances 0.000 claims description 6
- 230000004044 response Effects 0.000 claims description 6
- 230000009471 action Effects 0.000 claims description 2
- 230000006872 improvement Effects 0.000 description 9
- 238000004590 computer program Methods 0.000 description 8
- 238000002955 isolation Methods 0.000 description 6
- 238000003860 storage Methods 0.000 description 6
- 238000010586 diagram Methods 0.000 description 5
- 239000000243 solution Substances 0.000 description 5
- 238000012545 processing Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000006870 function Effects 0.000 description 2
- 230000008569 process Effects 0.000 description 2
- 238000003491 array Methods 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000005336 cracking Methods 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000001914 filtration Methods 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000010223 real-time analysis Methods 0.000 description 1
- 238000011897 real-time detection Methods 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a safety interception method and a safety interception system based on a container, wherein the method comprises the following steps: monitoring operation behaviors of different containers in operation to detect operation data of the containers; determining dangerous behavior information in the operation data based on a preset rule, and acquiring identity identification information of a corresponding container based on the dangerous behavior information; and searching a target container corresponding to the identification information and marking the target container as a tainted container. The method and the device are used for ensuring that the running container is a safe and reliable container, so that an attacking user is prevented from attacking the whole system by utilizing the container with dangerous behaviors, and the problems that in the prior art, external attacking behaviors cause user information leakage or exist malicious containers, so that online environment risks are high, and even the online environment risks are attacked maliciously or are controlled remotely are solved.
Description
Technical Field
The invention relates to the technical field of computer security management, in particular to a container-based security interception method and system.
Background
In the kubernets cluster, a container Pod is the basis for all traffic types, which is a combination of one or more containers. These containers share storage, networks, and namespaces, as well as specifications of how to operate. In Pod, all containers are identically arranged and scheduled and run in a shared context. For a specific application, the Pod is their logical host, and contains multiple application containers (containers) associated with the service.
As cloud native applications evolve, the security of pod is not guaranteed when hellm (i.e., the package manager for application orchestration in kubernets) or Kustomize (i.e., the package manager for application orchestration in kubernets) applications are increasing. Data leakage such as information of a user can be caused by external attack behaviors. For example, malicious Pod or application deployed in kubernets poses a high risk to the online environment. Even deploying malicious pods may result in the entire online environment being likely to be hacked, or otherwise controlled by a remote attacker.
In view of the above, it is necessary to provide an interception method for safe operation of a container to solve the above problems.
Disclosure of Invention
The invention aims to disclose a container-based security interception method and a system, which are used for ensuring that a container in operation is a safe and reliable container, so that an attacker is prevented from attacking the whole system by utilizing the container with dangerous behaviors.
In order to solve the technical problem, the invention is realized as follows:
in a first aspect, a container-based security interception method is provided, including:
monitoring operation behaviors of different containers in operation to detect operation data of the containers;
determining dangerous behavior information in the operation data based on a preset rule, and acquiring identity identification information of a corresponding container based on the dangerous behavior information;
and searching a target container corresponding to the identification information and marking the target container as a tainted container.
As a further improvement of the present invention, if the operation data is configured as mirror image information of a container, after searching for a target container corresponding to the identification information and marking the target container as a tainted container, the method includes:
and controlling a Kubelet component to perform eviction on the target container.
As a further improvement of the present invention, after finding a target container corresponding to the identification information and marking the target container as a tainted container, and before controlling a Kubelet component to evict the target container, the method includes:
recording the operation of ejecting the target container and monitoring whether the information of the target container is changed.
As a further improvement of the present invention, the dangerous behavior information includes: and information corresponding to at least one action of kernel right-giving, container escaping, host scanning and rootkit.
As a further improvement of the present invention, if the operation data is configured as a network data packet, after searching for a target container corresponding to the identification information and marking the target container as a taint container, the method includes:
and setting a black and white list to isolate the target container through the black and white list.
As a further improvement of the present invention, after setting a black-and-white list to isolate the target container by the black-and-white list, the method includes:
and recording the operation of isolating the target container and monitoring the information change of the target container.
As a further improvement of the present invention, the dangerous behavior information includes at least one of database injection behavior information, security vulnerability attack behavior information of a website application program, and behavior information of file uploading.
As a further improvement of the present invention, after detecting the operation data of the container and before determining the dangerous behavior information in the mirror image information based on the preset rule, the method includes:
and generating a preset rule in response to the editing input instruction to determine dangerous behavior information in the mirror image information based on the relationship between the safe operation behavior information in the preset rule and the operation content of the container.
As a further improvement of the invention, before monitoring the operation behaviors of different container operation, the method comprises the following steps:
and controlling the container to execute the malicious operation in response to the starting instruction input by the attacker.
In a second aspect, there is also a container-based security interception system, comprising:
the eBPF virtual machine is used for monitoring the operation behaviors of different containers in operation;
the detector is used for detecting the operation data of the container and determining dangerous behavior information in the mirror image information based on a preset rule so as to acquire the identity identification information of the corresponding container based on the dangerous behavior information;
and the processor is used for searching a target container corresponding to the identification information and marking the target container as a tainted container.
As a further improvement of the invention, the method also comprises the following steps:
a controller to record operations to quarantine or evict the target container;
and the kube-apiserver unit is used for monitoring whether the information of the target container is changed.
In a third aspect, a computer-readable medium is provided, in which computer program instructions are stored, and when the computer program instructions are read and executed by a processor, the steps in the container-based security interception method according to the first aspect are performed.
In a fourth aspect, a terminal device is provided, which includes a processor, a memory, and a computer program stored on the memory and executable on the processor, and when executed by the processor, the computer program implements the steps in the container-based security interception method according to the first aspect.
Compared with the prior art, the invention has the following beneficial effects:
the container-based security interception method firstly detects the operation data of the container in operation, matches the dangerous behavior information in the operation data according to the preset rule, and obtains the identification information of the corresponding container according to the matched dangerous behavior information, so that the corresponding target container is searched according to the identification information, and the target container corresponding to the identification information is marked as a stain container. Therefore, even if external attack behaviors exist or malicious pods or applications are deployed, the method and the system can timely capture the containers possibly having dangerous behaviors by detecting the dangerous behaviors in the operation of the containers in real time when the whole system operates so as to ensure that the operating containers are safe and reliable containers, thereby preventing an attacker from attacking the whole system by using the containers having the dangerous behaviors. The invention solves the problems that in the prior art, external attack behaviors cause user information leakage or exist malicious containers, so that online environment risks are high, and even the online environment risks are attacked maliciously or are controlled remotely.
Drawings
FIG. 1 is a flow diagram of a container-based security interception method according to an embodiment of the present invention;
FIG. 2 is a block diagram of a container-based security interception system according to an embodiment of the present invention;
fig. 3 is a block diagram illustrating a structure of a container-based security interception system according to another embodiment of the present invention;
FIG. 4 is a flow chart of a container-based security interception method according to another embodiment of the present invention;
FIG. 5 is a flowchart of a container-based security interception method according to still another embodiment of the present invention;
FIG. 6 is a flowchart of a container-based security interception method according to still another embodiment of the present invention;
FIG. 7 is a block diagram of a topology of a computer readable medium according to the present disclosure;
fig. 8 is a topology structure diagram of a terminal device according to the present invention.
Detailed Description
The present invention is described in detail with reference to the embodiments shown in the drawings, but it should be understood that these embodiments are not intended to limit the present invention, and those skilled in the art should understand that functional, methodological, or structural equivalents or substitutions made by these embodiments are within the scope of the present invention.
Before describing in detail the various embodiments of the present invention, the core inventive concepts of the present invention are summarized and described in detail by the following several embodiments.
Term "Kubernetes": is an open source for managing containerized applications on multiple hosts in a cloud platform, referred to as "k 8 s" for short.
Term "Kubelet": is the daemon process in Kubernets for managing the operation of the container.
Term "eBDP": referred to as extended BDP filter.
The term "Kube-apiserver": a service in kubernets for storing api-related registration information.
The applicant intends to bring the invention to the details of the specific technical solutions contained in the present invention by showing several examples below.
The first embodiment is as follows:
fig. 1 is a schematic flow chart of a container-based security interception method (hereinafter, referred to as "method" or "interception method") according to an embodiment of the present invention, to ensure that a container in operation is a safe and reliable container, so as to prevent an attacker from attacking an entire system by using a container with dangerous behaviors. The container-based security interception method is applied to the field of Kubenets clusters 400 (namely k8s clusters), and the k8s cluster is applied to a container-based security interception system. As described with reference to fig. 1 and 2, the container-based security interception method of the present embodiment includes:
And 104, determining dangerous behavior information in the operation data by the detector 200 based on a preset rule, and acquiring the identification information ID of the corresponding container based on the dangerous behavior information.
The container-based security interception method of this embodiment first detects operation data of a container in operation, matches dangerous behavior information in the operation data according to a predetermined rule, and obtains identification information of a corresponding container according to the matched dangerous behavior information, thereby searching for the corresponding target container 402 according to the identification information, and marking the target container 402 corresponding to the identification information as a dirty container. In this way, even if there is an external attack behavior or a malicious pod or application is deployed, the present embodiment timely captures a container that may have a dangerous behavior by detecting the dangerous behavior in the container operation in real time when the entire system is in operation, so as to ensure that the container in operation is a safe and reliable container, thereby preventing an attacker from attacking the entire system (e.g., the k8s cluster or the container-based security interception system) by using the container that has the dangerous behavior. The embodiment solves the problems that in the prior art, external attack behaviors cause user information leakage or exist malicious containers, so that online environment risks are high, and even the online environment risks are attacked maliciously or are controlled remotely.
In the above embodiment, the operation data is configured as a network data packet, and the dangerous behavior information corresponding to the network data packet is information corresponding to an external attack behavior, which specifically includes: the method comprises the following steps of performing at least one of behavior information of database injection (SQL injection), behavior information of security vulnerability attack (XSS) of a website application program, behavior information of embezzled user identity information execution corresponding operation, behavior information of file uploading, behavior information contained in a file, behavior information of command injection and behavior information of brute force cracking.
Cross-site scripting (XSS) is a security vulnerability attack of a website application program, is a type of code injection, allows a malicious user to inject codes into a webpage, and other users are affected when watching the webpage. Such attacks typically include HTML as well as user-side scripting languages.
Cross Site Request Forgery (CSRF for short). CSRF refers to an attacker that misappropriates the identity of a user and sends malicious requests on behalf of the user. The method specifically comprises the following steps: sending mail, messaging, stealing accounts on behalf of the user, even purchasing goods, virtual money transfers, etc.
As described in conjunction with fig. 3 and 4, if the operation data is configured as a network data packet, the operations after step 106 further include:
After step 1071, further comprising:
and step 1081, recording the target container to be isolated through the controller 500 and monitoring information change of the target container through the kube-apiserver unit 600.
It should be noted that, between step 1071 and step 1081, there may be further included: controls the Kubelet component 401 to perform isolation operations on the target container based on the black and white list.
It should be understood that, in this embodiment, when the operation data is configured as a network data packet, after the processor 300 finds the target container corresponding to the identification information ID and marks the target container as a dirty container, the processor 300 sets a black and white list for isolating the target container 402, records the target container 402 that needs to be isolated through the controller 500, and monitors the change information of the target container through the kube-api server unit 600, so as to perform an isolation operation on the pod according to the black and white list through the kubel component 401. Therefore, the present embodiment timely captures a container with a possible dangerous behavior by detecting the dangerous behavior in the operation of the container in real time, and only performs a security filtering operation (i.e., an isolation operation) on the external network attack behavior by the present embodiment because it is detected that dangerous behavior information included in the operation data of the container is generated by the external attack behavior. For example, if it is detected that a user operation in the container and execution of a suspicious shell script are performed, it is determined that an attacker attacks the pod or the network, and the embodiment can effectively avoid further attack on the pod or the network by the attacker by isolating the pod. Therefore, the external attack behavior can be intercepted under the condition that the current container operation service is not influenced, and the operation reliability of the container service system is improved.
In the above embodiment, the operation data is configured as mirror image information of the container, and the dangerous behavior information corresponding to the mirror image information of the container is dangerous behavior information corresponding to the internal attack behavior, which specifically includes: and the kernel gives right, the container escapes, the host scans, rootkit and other behaviors. It can be appreciated that as application services increase, it is difficult to ensure that a running container image does not have vulnerabilities or other security issues. If the container is determined to be a malicious Pod or has a security problem according to the container mirror image, and an application or a container Pod having a security problem or a malicious application is deployed, a huge security risk is brought to the whole operating system.
To solve the above technical problem, referring to fig. 5, the operations of the present embodiment after step 106 further include:
Operations after step 106 and before step 108 further include:
It should be understood that, in the present embodiment, when the operation data of the container is detected as mirror image information of the container, after the processor 300 finds the target container corresponding to the identification information ID and marks the target container as a dirty container, the target container 402 that needs to perform the eviction operation is recorded by the controller 500, and the kubel component 401 is used to perform the eviction operation on the target container by monitoring change information of the target container through the kube-apiserver unit 600. Therefore, the embodiment detects dangerous behaviors in the operation of the container in real time, timely captures the container with the possible dangerous behaviors, and can determine that the dangerous behavior information contained in the mirror image information is generated by an internal attack behavior (the attack behavior executed when an attacker attacks the inside of the system is recorded in the mirror image file) by detecting the problem of the container mirror image, so that the container with the vulnerability or the security problem is expelled through the embodiment, and the container mirror image with the vulnerability or the security problem is defended. For example, if a deployed pod pre-executes an attack of container escape due to a kernel vulnerability, the embodiment can detect the operation behavior of the pod at the kernel layer, and thus execute an eviction operation on the pod. Thereby ensuring that the container in operation is a safe and reliable container and preventing an attacker from attacking the whole system (such as a k8s cluster or a container-based security interception system) by using the container with dangerous behaviors.
The CVE-2019 and 5736 security vulnerability in the malicious open source image is taken as an example for explanation, and the problem of the CVE-2019 and 5736 security vulnerability is that a runc binary file of a host can be covered, so that an attacker can execute a command through the root user access right. Wherein the Docker engine before v18.09.2 made the container with the attacker controlled image vulnerable to CVE-2019-.
The specific interception process of the method of the embodiment is as follows:
first, the detector (i.e., eBPF-user)200 writes an interception rule (i.e., a preset rule) of the eBPF from pod to the operation "mv run./run" covering the run. The command for run operation is extracted by writing the corresponding eBPF code.
Next, eBPF-user obtains the ID of the corresponding container and reports it to processor (eBPF-controller) 300. The eBPF-controller searches a target container corresponding to the ID in k8s, and records the target container as a taint container to evict the taint container, and the eBPF-controller performs development operation using an operator, wherein the operator is a resource object in k8s and can perform monitoring operation on the resource object.
Therefore, when an attacker utilizes the target container pod to launch an attack, the safety risk of the target container can be detected in real time and intercepted, so that further expansion of the attack behavior is avoided, and the safety of the online or production environment is ensured.
In any of the above embodiments, as shown in fig. 6, the operations after step 102 and before step 104 further comprise:
and 103, generating a preset rule in response to an editing input instruction (an instruction formed by self-editing in the detector 200 by the user side) to determine dangerous behavior information in the mirror image information based on the relationship between the safe operation behavior information in the preset rule and the operation content of the container.
Before step 102, the method further comprises:
and step 101, controlling the container to execute malicious operation in response to a starting instruction input by an attacker. It should be noted that, after the container executes the malicious operation, the method of the present embodiment sends the malicious operation executed by the container to the eBPF virtual machine 100, so that the detector 200 acquires the operation behavior of the container through the eBPF virtual machine 100.
In a specific embodiment, referring to fig. 2, the method for container-based security interception of the present embodiment specifically includes:
and (1) the eBPF virtual machine 100 acquires malicious operation executed by the attacker starting the pod.
And (2) the eBPF virtual machine 100 executes malicious operation based on the acquired pod to monitor the operation behavior of the pod when the pod runs.
And (3) detecting the operation data of the container by the detector 200 according to the operation behavior of the container during operation, which is monitored by the eBPF virtual machine 100, and determining dangerous behavior information in the operation data according to a preset rule so as to acquire the identification information ID of the corresponding container according to the dangerous behavior information.
And (4) the processor 300 searches the target container 402 corresponding to the identification information ID in the k8s according to the dangerous behavior information in the operation data of the container acquired by the detector 200 and the corresponding identification information ID, and sets the target container 402 as a tainted container.
It should be noted that, if the operation data is determined to be a network data packet according to the operation data of the container, it is determined that the attack behavior of the attacker on the container is an external attack behavior. In order to avoid affecting the service of the container operation, the processor 300 sets a black and white list for isolating the target container 402, so that the Kubelet component 401 can perform the isolation operation on the target container 402 according to the black and white list.
And if the operation data is determined to be the mirror image information of the container according to the operation data of the container, determining that the attack behavior of the attacker on the container is an internal attack behavior. To ensure the security of running a container, an eviction operation is performed on the target container 402 by the Kubelet component 401 to defend against container mirroring vulnerabilities or security issues.
Step (5) the Kubelet component 401 isolates or evicts the taint container set by the processor 300 based on its setting.
The present embodiment performs real-time detection and analysis on the runtime state of the whole k8s, and alarms on the existing secure container or application, and when an attack occurs, the present embodiment calls a kernel function of an operating system, and captures the security behavior existing in the container running in time through the eBPF on the called kernel function, thereby ensuring that the container runs safely and reliably, and providing security guarantee for the cloud native environment of the whole k8 s.
In another specific embodiment, as shown in fig. 3, the only difference from fig. 2 is that between step (5) and step (4), there is further included:
step (41) the target container to be quarantined or evicted is recorded by the controller 500.
And (42) monitoring the change information of the target container through the kube-apiserver unit 600.
Therefore, the security interception method included in the container-based security interception system disclosed in fig. 2 or 3 timely captures a container with a dangerous behavior by detecting the dangerous behavior in the operation of the container in real time, classifies dangerous behavior information into external attack behavior and information corresponding to the internal attack behavior according to operation data of the detected container, and isolates the external network attack behavior according to the information corresponding to the external attack behavior so as not to affect the service of the current container in operation, and expels the container with a vulnerability or a security problem according to the information corresponding to the internal attack behavior, thereby defending the container mirror image against the vulnerability or the security problem. In this way, the present embodiment ensures that the container in operation is a safe and reliable container, thereby preventing an attacker from attacking the whole system (such as the k8s cluster or the container-based security interception system) by using the container with dangerous behaviors. The embodiment solves the problems that in the prior art, external attack behaviors cause user information leakage or exist malicious containers, so that online environment risks are high, and even the online environment risks are attacked maliciously or are controlled remotely.
Example two:
as shown in fig. 2, based on the inventive concept included in the container-based security interception method disclosed in the first embodiment, the present embodiment provides a container-based security interception system (hereinafter referred to as "system" or "interception system"), including: the eBPF virtual machine 100 is used for monitoring operation behaviors of different containers in operation; the detector 200 is used for detecting the operation data of the container and determining dangerous behavior information in the mirror image information based on a preset rule so as to acquire the identity identification information of the corresponding container based on the dangerous behavior information; a processor 300 configured to locate a target container 402 corresponding to the identification information and mark the target container 402 as a tainted container.
The container-based security interception system of this embodiment monitors the operation behavior of different containers during operation through the eBPF virtual machine 100, detects the operation data of the container during operation through the detector 200, matches the dangerous behavior information in the operation data according to a predetermined rule, and obtains the identification information of the corresponding container according to the matched dangerous behavior information, so as to search the corresponding target container 402 according to the identification information through the processor 300, and mark the target container 402 corresponding to the identification information as a dirty container. In this way, even if there is an external attack behavior or a malicious pod or application is deployed, the present embodiment timely captures a container that may have a dangerous behavior by detecting the dangerous behavior in the container operation in real time when the entire system is in operation, so as to ensure that the container in operation is a safe and reliable container, thereby preventing an attacker from attacking the entire system (e.g., the k8s cluster or the container-based security interception system) by using the container that has the dangerous behavior.
If the operation data is configured as a network data packet, the processor 300 is further configured with a black and white list for isolating the target container. The system of this embodiment also includes a Kubelet component 401 for performing isolation operations on the target container based on the black and white list. If the run data is configured as mirrored information for the container, the Kubelet component 401 is configured to perform an eviction operation on the target container.
As shown in fig. 3, the system of the present embodiment further includes a controller 500 for recording an operation of isolating or evicting the target container; and a kube-apiserver unit 600, configured to monitor whether information of the target container is changed.
In this way, in this embodiment, after the processor 300 finds the target container 402 corresponding to the identification information ID and marks the target container as a dirty container, the controller 500 records the target container 402 that needs to be isolated or evicted, and the kubel component 401 is used to perform isolation or eviction on the target container by monitoring the change information of the target container through the kube-apiserver unit 600. With such a configuration, in the embodiment, a container possibly having a dangerous behavior is captured in time by detecting the dangerous behavior in the operation of the container in real time, and the dangerous behavior information is classified into information corresponding to an external attack behavior and an internal attack behavior according to the operation data of the detected container, so as to isolate the external network attack behavior according to the information corresponding to the external attack behavior so as not to affect the service of the current container operation, and to expel the container having a vulnerability or a security problem according to the information corresponding to the internal attack behavior, thereby defending the container mirror image having the vulnerability or the security problem. In this way, the system of the present embodiment can ensure that the container in operation is a safe and reliable container, thereby preventing an attacker from attacking the entire system (such as the k8s cluster or the container-based security interception system) by using the container with dangerous behaviors. The embodiment solves the problems that in the prior art, external attack behaviors cause user information leakage or exist malicious containers, so that online environment risks are high, and even the online environment risks are attacked maliciously or are controlled remotely.
Please refer to the description of the first embodiment, and further description thereof is omitted.
Example three:
referring to FIG. 7, the present embodiment discloses an embodiment of a computer readable medium 700. The computer readable medium 700 may be disposed in whole or in part in a physical form of a computer, server, cluster server, or data center.
In the embodiment, a computer-readable medium 700 is provided, in which computer program instructions 701 are stored in the computer-readable medium 700, and when the computer program instructions 701 are read and executed by a processor 702, the steps in the container-based security interception method according to the embodiment are performed.
Alternatively, the computer-readable medium 700 may be configured as a server and the server is run on a physical device that constructs a private cloud, a hybrid cloud, or a public cloud. Meanwhile, the computer-readable medium 800 may also be configured as a Random Access Memory (RAM), a Read Only Memory (ROM), a Programmable Read-Only Memory (PROM), an Erasable Read-Only Memory (EPROM), an electrically Erasable Read-Only Memory (EEPROM), and the like.
The computer readable medium 700 is used for storing a program, and the processor 702 receives an execution instruction to execute a container-based security interception method disclosed in an embodiment.
Meanwhile, the processor 702 of the present embodiment may be an integrated circuit chip having signal processing capability. The Processor 702 may be a general-purpose Processor, including a Central Processing Unit (CPU), a Network Processor (NP), and the like; but also Digital Signal Processors (DSPs), Application Specific Integrated Circuits (ASICs), Field Programmable Gate Arrays (FPGAs) or other Programmable logic devices, discrete Gate or transistor logic devices, discrete hardware components. The various methods, steps and logic blocks disclosed in the embodiments of the present invention may be implemented or performed. The general purpose processor may be a microprocessor or the general purpose processor may be any conventional processor.
For a technical solution of a portion of the computer-readable medium 700 disclosed in this embodiment that is the same as that in the first embodiment and/or the second embodiment, please refer to the description in the first embodiment and/or the second embodiment, which is not repeated herein.
Example four:
referring to fig. 8 in combination, this embodiment discloses a terminal device 800, which includes a processor 81, a memory 82, and a computer program stored on the memory 82 and operable on the processor 81, and when the computer program is executed by the processor 81, the steps of the container-based security interception method according to the first embodiment are implemented. At the same time, a communication bus 83 is established for communication between the processor 81 and the memory device 82. The processor 81 is configured to execute one or more programs stored in the storage device 82, where the programs are the container-based security interception method according to the first embodiment.
In the present embodiment, the storage device 82 includes storage units 821 to 82i, and the parameter i is a positive integer greater than or equal to 1. The terminal device 800 may be understood as a computer, a cluster server, or a cloud platform.
Please refer to the description of the first embodiment, which will not be repeated herein, for a specific technical solution of a container-based security interception method relied on/included in the terminal device 800 according to this embodiment.
In addition, functional units in the embodiments of the present invention may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable medium. Based on such understanding, the technical solution of the present invention may be substantially implemented or contributed by the prior art, or all or part of the technical solution may be embodied in a software product, which is stored in a storage medium and includes instructions for causing a computer device (which may be a personal computer, a server, a network device, or the like) or a processor (processor) to execute all or part of the steps of the method according to the embodiments of the present invention. And the aforementioned storage medium includes: a U-disk, a removable hard disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a magnetic disk or an optical disk, and other various media capable of storing program codes.
The above-listed detailed description is only a specific description of a possible embodiment of the present invention, and they are not intended to limit the scope of the present invention, and equivalent embodiments or modifications made without departing from the technical spirit of the present invention should be included in the scope of the present invention.
It will be evident to those skilled in the art that the invention is not limited to the details of the foregoing illustrative embodiments, and that the present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof. The present embodiments are therefore to be considered in all respects as illustrative and not restrictive, the scope of the invention being indicated by the appended claims rather than by the foregoing description, and all changes which come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein. Any reference sign in a claim should not be construed as limiting the claim concerned.
Furthermore, it should be understood that although the present description refers to embodiments, not every embodiment may contain only a single embodiment, and such description is for clarity only, and those skilled in the art should integrate the description, and the embodiments may be combined as appropriate to form other embodiments understood by those skilled in the art.
Claims (11)
1. A container-based security interception method, comprising:
monitoring operation behaviors of different containers in operation to detect operation data of the containers;
determining dangerous behavior information in the operation data based on a preset rule, and acquiring identity identification information of a corresponding container based on the dangerous behavior information;
and searching a target container corresponding to the identification information and marking the target container as a tainted container.
2. The container-based security interception method of claim 1, wherein if the operation data is configured as mirror image information of a container, after searching for a target container corresponding to the identification information and marking the target container as a dirty container, the method comprises:
and controlling a Kubelet component to perform eviction on the target container.
3. The container-based security interception method according to claim 2, wherein after finding a target container corresponding to said identification information and marking said target container as a tainted container, and before controlling a Kubelet component to evict said target container, said method comprises:
recording the operation of ejecting the target container and monitoring whether the information of the target container is changed.
4. The container-based security interception method according to claim 2, wherein said dangerous behavior information comprises:
and information corresponding to at least one action of kernel right-giving, container escaping, host scanning and rootkit.
5. The container-based security interception method of claim 1, wherein if the operation data is configured as a network data packet, after searching for a target container corresponding to the identification information and marking the target container as a tainted container, the method comprises:
and setting a black and white list to isolate the target container through the black and white list.
6. The container-based security interception method according to claim 5, comprising, after setting a black and white list to isolate said target container by the black and white list:
and recording the operation of isolating the target container and monitoring the information change of the target container.
7. The container-based security interception method according to claim 5,
the dangerous behavior information comprises at least one of database injection behavior information, security vulnerability attack behavior information of a website application program and behavior information uploaded by a file.
8. The container-based security interception method according to claim 2 or 5, wherein after detecting the operation data of the container and before determining the dangerous behavior information in the mirror image information based on the preset rule, the method comprises:
and generating a preset rule in response to the editing input instruction to determine dangerous behavior information in the mirror image information based on the relationship between the safe operation behavior information in the preset rule and the operation content of the container.
9. The container-based security interception method according to claim 2 or 5, characterized in that, before listening to the operation behavior of different container runtime, it comprises:
and controlling the container to execute the malicious operation in response to the starting instruction input by the attacker.
10. A container-based security interception system, comprising:
the eBPF virtual machine is used for monitoring the operation behaviors of different containers in operation;
the detector is used for detecting the operation data of the container and determining dangerous behavior information in the mirror image information based on a preset rule so as to acquire the identity identification information of the corresponding container based on the dangerous behavior information;
and the processor is used for searching a target container corresponding to the identification information and marking the target container as a tainted container.
11. The container-based security intercept system of claim 10 further comprising:
a controller to record operations to quarantine or evict the target container;
and the kube-apiserver unit is used for monitoring whether the information of the target container is changed.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110817962.6A CN113504971B (en) | 2021-07-20 | 2021-07-20 | Security interception method and system based on container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110817962.6A CN113504971B (en) | 2021-07-20 | 2021-07-20 | Security interception method and system based on container |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113504971A true CN113504971A (en) | 2021-10-15 |
| CN113504971B CN113504971B (en) | 2024-02-13 |
Family
ID=78013911
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110817962.6A Active CN113504971B (en) | 2021-07-20 | 2021-07-20 | Security interception method and system based on container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113504971B (en) |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392175A (en) * | 2014-11-26 | 2015-03-04 | 华为技术有限公司 | System and method and device for processing cloud application attack behaviors in cloud computing system |
| US20170116415A1 (en) * | 2015-10-01 | 2017-04-27 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
| CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
| CN112868007A (en) * | 2018-11-15 | 2021-05-28 | 国际商业机器公司 | Detecting security risks associated with software components |
-
2021
- 2021-07-20 CN CN202110817962.6A patent/CN113504971B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104392175A (en) * | 2014-11-26 | 2015-03-04 | 华为技术有限公司 | System and method and device for processing cloud application attack behaviors in cloud computing system |
| US20170116415A1 (en) * | 2015-10-01 | 2017-04-27 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
| CN112868007A (en) * | 2018-11-15 | 2021-05-28 | 国际商业机器公司 | Detecting security risks associated with software components |
| CN110851824A (en) * | 2019-11-13 | 2020-02-28 | 哈尔滨工业大学 | Detection method for malicious container |
Non-Patent Citations (1)
| Title |
|---|
| 张楠;: "云计算中使用容器技术的信息安全风险与对策", 信息网络安全, no. 09 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113504971B (en) | 2024-02-13 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10032025B1 (en) | Behavior-based ransomware detection | |
| US20210160284A1 (en) | Systems and methods for detecting a suspicious process in an operating system environment using a file honeypots | |
| US11240262B1 (en) | Malware detection verification and enhancement by coordinating endpoint and malware detection systems | |
| US10169585B1 (en) | System and methods for advanced malware detection through placement of transition events | |
| US10893068B1 (en) | Ransomware file modification prevention technique | |
| KR101122646B1 (en) | Method and device against intelligent bots by masquerading virtual machine information | |
| CN107612924B (en) | Attacker positioning method and device based on wireless network intrusion | |
| US9311476B2 (en) | Methods, systems, and media for masquerade attack detection by monitoring computer user behavior | |
| US10033745B2 (en) | Method and system for virtual security isolation | |
| RU2680736C1 (en) | Malware files in network traffic detection server and method | |
| CN111274583A (en) | Big data computer network safety protection device and control method thereof | |
| CN110851241A (en) | Safety protection method, device and system for Docker container environment | |
| US20130152200A1 (en) | Predictive Heap Overflow Protection | |
| US8955138B1 (en) | Systems and methods for reevaluating apparently benign behavior on computing devices | |
| CN107465702B (en) | Early warning method and device based on wireless network intrusion | |
| US11785044B2 (en) | System and method for detection of malicious interactions in a computer network | |
| CN107566401B (en) | Protection method and device for virtualized environment | |
| US20220217164A1 (en) | Inline malware detection | |
| US11636208B2 (en) | Generating models for performing inline malware detection | |
| CN111800405A (en) | Detection method, detection device and storage medium | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN107517226B (en) | Alarm method and device based on wireless network intrusion | |
| CN113504971B (en) | Security interception method and system based on container | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| Kono et al. | An unknown malware detection using execution registry access |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |