CN111813497A - Container environment anomaly detection method, device, medium and computer equipment - Google Patents
Container environment anomaly detection method, device, medium and computer equipment Download PDFInfo
- Publication number
- CN111813497A CN111813497A CN202010613033.9A CN202010613033A CN111813497A CN 111813497 A CN111813497 A CN 111813497A CN 202010613033 A CN202010613033 A CN 202010613033A CN 111813497 A CN111813497 A CN 111813497A
- Authority
- CN
- China
- Prior art keywords
- container
- service
- process data
- detection model
- mirror image
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 161
- 238000000034 method Methods 0.000 claims abstract description 300
- 230000008569 process Effects 0.000 claims abstract description 251
- 230000002159 abnormal effect Effects 0.000 claims abstract description 38
- 238000004590 computer program Methods 0.000 claims description 16
- 230000006399 behavior Effects 0.000 claims description 15
- 230000007613 environmental effect Effects 0.000 claims description 9
- 238000013499 data model Methods 0.000 claims description 4
- 238000007726 management method Methods 0.000 description 16
- 238000010586 diagram Methods 0.000 description 13
- 230000005856 abnormality Effects 0.000 description 6
- 230000006870 function Effects 0.000 description 6
- 230000003993 interaction Effects 0.000 description 6
- 238000012545 processing Methods 0.000 description 6
- 238000002955 isolation Methods 0.000 description 5
- 238000004891 communication Methods 0.000 description 4
- 230000008447 perception Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 3
- 230000004048 modification Effects 0.000 description 3
- 230000006378 damage Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000009545 invasion Effects 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 239000000725 suspension Substances 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 230000004075 alteration Effects 0.000 description 1
- 230000002547 anomalous effect Effects 0.000 description 1
- 230000001419 dependent effect Effects 0.000 description 1
- 238000011161 development Methods 0.000 description 1
- 238000004519 manufacturing process Methods 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 230000004044 response Effects 0.000 description 1
- 239000000126 substance Substances 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0209—Architectural arrangements, e.g. perimeter networks or demilitarized zones
- H04L63/0218—Distributed architectures, e.g. distributed firewalls
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1425—Traffic logging, e.g. anomaly detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
- H04L67/025—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1095—Replication or mirroring of data, e.g. scheduling or transport for data synchronisation between network nodes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/10—Protocols in which an application is distributed across nodes in the network
- H04L67/1097—Protocols in which an application is distributed across nodes in the network for distributed storage of data in networks, e.g. transport arrangements for network file system [NFS], storage area networks [SAN] or network attached storage [NAS]
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45595—Network integration; Enabling network access in virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
The application provides a method, a device, a medium and computer equipment for detecting container environment abnormity, wherein the method comprises the following steps: aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run; aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not; according to the method, for each mirror image, because a plurality of containers are created by the mirror image, the process data are diversified, and the detection precision of the detection model can be further ensured; in the container cluster, the number of the images is far smaller than that of the business containers, so that compared with a mode of modeling each container in the prior art, the modeling of the images can greatly reduce the modeling cost.
Description
Technical Field
The application belongs to the technical field of network security, and particularly relates to a method, a device, a medium and computer equipment for detecting container environment abnormity.
Background
A container is a lightweight, operating system-level virtualization technique that allows running applications and their dependent items in a resource-isolated environment. The container technology realizes light resource virtualization and isolation by sharing the kernel of the host operating system, and has wide application in the fields of DevOps, micro-services and the like in recent years.
Although container technology is well received and is widely used in many areas, the safety issues behind it are not negligible. Whether the container runs safely or not is directly related to whether the service in the container can run continuously and stably in an expected manner or not; therefore, how to timely and accurately find abnormal threats inside the container environment and carry out alarming and handling is a problem which must be considered by a container platform development, transportation and emergency response team.
Generally, whether terminal exception detection on a traditional host or virtual machine exception detection in a virtualization scheme, modeling and detection are generally performed in units of hosts or virtual machines. Similarly, in the container environment and the container cluster environment, the prior art still uses the container as the basic unit for modeling and detection. However, in the container cluster environment, the life cycle is short, the behaviors in the life cycle are simple, and the behavior data is relatively single, so that the detection accuracy of the established detection model cannot be ensured; in a cluster environment, the number of containers is large, a detection model needs to be established for each container, and modeling cost is extremely high.
Disclosure of Invention
Aiming at the problems in the prior art, the embodiment of the application provides a method, a device, a medium and a computer device for detecting the abnormal environment of a container, which are used for solving the technical problems that the detection precision cannot be ensured and the modeling cost is high when the abnormal environment of the container is detected in the prior art.
In a first aspect of the present application, a method for detecting an environmental anomaly of a container is provided, the method comprising:
aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run;
aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not.
Optionally, the obtaining historical process data of all service containers in each host node during normal operation includes:
creating a corresponding privilege container in each host node, wherein the privilege container comprises a data collector;
mounting each socket file into the corresponding privilege container; the socket file is a file monitored by a container daemon process, one container daemon process exists in each host node, and the container daemon process is used for managing the life cycle of all service containers in the host node;
based on a preset acquisition period, sending a data acquisition instruction to the corresponding socket file through each data acquisition unit so that the socket file sends the data acquisition instruction to the corresponding container daemon;
and receiving historical process data which is sent by each container daemon process and corresponds to the normal operation of all service containers operated in the host node.
Optionally, for each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image includes:
classifying historical process data in each business container by taking the mirror image as a reference;
for each mirror image, writing the classified historical process data into a pre-established database model table through a controller; each data item in the data model table is one of the detection models; wherein the controller is deployed in the container cluster in container form.
Optionally, after the detection model is established based on the historical process data in each service container corresponding to each mirror image, the method includes:
and for each mirror image, when new process data of the service container corresponding to the mirror image is received in a preset self-learning time period, updating the corresponding detection model according to the new process data.
Optionally, the detecting the current process data based on the corresponding detection model, and determining whether each service container environment is abnormal, includes:
matching the current process data with a process list in the corresponding detection model;
if the matching result is that the memory resource utilization rate of the current process data exceeds the memory resource utilization rate threshold value in the detection model; alternatively, the first and second electrodes may be,
and if the matching result is that the CPU occupied by the current process data exceeds the CPU threshold value in the detection model, determining that the resource in the service container is abnormal in use.
Optionally, the method further includes:
if the matching result is that the unknown file is opened in the current process; alternatively, the first and second electrodes may be,
and if the matching result is that an unknown process number is created in the service container, determining that the process behavior in the service container is abnormal.
Optionally, the method further includes:
if the matching result is that a blacklist process exists; alternatively, the first and second electrodes may be,
if the matching result is that the current process runs with an unknown user identity; alternatively, the first and second electrodes may be,
and if the matching result is that the current process is started from an unknown path, determining that the process attribute in the service container is abnormal.
In a second aspect of the present application, there is provided an apparatus for detecting an environmental anomaly in a container, the apparatus comprising:
the acquisition module is used for acquiring historical process data of all service containers in each host machine node when the service containers normally run aiming at the host machine nodes in the container cluster;
the establishing module is used for establishing a detection model based on historical process data in each business container corresponding to each mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and the detection module is used for detecting the current process data based on the corresponding detection model when the current process data of each service container is received, and judging whether the environment of each service container is abnormal or not.
In a third aspect of the present application, a computer-readable storage medium is provided, on which a computer program is stored which, when being executed by a processor, carries out the method of any one of the first aspects.
In a fourth aspect of the present application, a computer device is provided, comprising a memory, a processor and a computer program stored on the memory and executable on the processor, the processor implementing the method of any one of the first aspect when executing the program.
The application provides a method, a device, a medium and a computer device for detecting container environment abnormity, wherein the container is created by mirror images, and one mirror image corresponds to a plurality of service containers; therefore, the method and the device establish a corresponding detection model for each mirror image based on the process data from all the service containers in the mirror image, and the obtained process data is diversified, so that the detection model can fully depict the behavior characteristics of all the service containers corresponding to the mirror image during normal service operation, and further the detection precision of the detection model can be ensured; in the container cluster, the number of the images is far smaller than that of the business containers, so that compared with a mode of modeling each container in the prior art, the modeling of the images can greatly reduce the modeling cost.
Drawings
Fig. 1 is a schematic flow chart of a method for detecting an environmental anomaly of a container according to an embodiment of the present application;
fig. 2 is a schematic diagram of an apparatus for detecting an environmental anomaly of a container according to an embodiment of the present disclosure;
FIG. 3 is a schematic diagram of a container cluster of the Kubernets system according to an embodiment of the present disclosure;
fig. 4 is a schematic flowchart of detection model establishment provided in an embodiment of the present application;
fig. 5 is a schematic view illustrating a container environment anomaly detection process provided in an embodiment of the present application;
fig. 6 is a schematic structural diagram of an apparatus for detecting environmental anomaly of a container according to an embodiment of the present application;
FIG. 7 is a schematic structural diagram of a computer apparatus for detecting an anomaly in a container environment according to an embodiment of the present application;
fig. 8 is a schematic structural diagram of a medium for detecting an environmental anomaly of a container according to an embodiment of the present application.
Detailed Description
In order to solve the technical problems that detection precision cannot be ensured and modeling cost is high in container environment abnormity detection in the prior art, the application provides a method, a device, a medium and computer equipment for container environment abnormity detection, wherein the method comprises the following steps: aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run; aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model; and when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not.
The technical solution of the present application is further described in detail with reference to the accompanying drawings and specific embodiments.
Example one
The present embodiment provides a method for detecting an environmental anomaly of a container, as shown in fig. 1, the method includes:
s110, aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run;
in the distributed system, a plurality of hosts exist, one host is a node, and a plurality of containers are deployed in each host node to form a container cluster.
In order to ensure the processing efficiency of each host node, after the containers are created, a background management module of the distributed system performs unified deployment; and the background management unit determines an optimal deployment mode according to the current resource occupancy rate of each host node. In this way, even different containers created by the same image may be deployed in different host nodes.
Aiming at the host machine nodes in the container cluster, historical process data of all service containers in each host machine node in normal operation are collected, so that a detection model can be established according to the historical process data.
Specifically, historical process data of all service containers in each host node during normal operation is collected, and the following is realized:
creating a corresponding privilege container in each host node, as shown in fig. 2, if the host node includes N, the privilege containers also include N; the privileged container includes: a data acquisition unit; the data collector comprises: the system comprises an acquisition module, a timing module and a first message center module; the acquisition module is used for acquiring historical process data of the service container, and the timing module is used for setting an acquisition period; the first message center module is used for data interaction with the controller based on the communication mode of the message queue, such as: and sending the collected historical process data to the controller.
The data collector is deployed in each host node in the form of a container, and is in the same position as other service containers, system containers and the like in the system in the container cluster, so that a background management unit of the system can conveniently manage the privileged containers in the same management mode as other containers, such as deployment, arrangement, scheduling and the like of the privileged containers. And in order to reduce the influence on the service container, the privileged container is positioned in an independent name space in the container cluster, so that the isolation from the service environment is realized.
In order to collect historical process data of all containers in each host node, each socket file is mounted to a corresponding privilege container, and each privilege container is mounted with one socket file. The socket file is a local file monitored by a container daemon, one container daemon exists in each host node, and the container daemon is used for managing and monitoring life cycles (such as creation, suspension, continuation, destruction and the like of containers) of all service containers in the host node; wherein the socket file may include unixsockets.
Based on the acquisition period set in the timing module, each acquisition module sends a data acquisition instruction to the corresponding socket file, and the socket file sends the data acquisition instruction to the corresponding container daemon; after receiving the data acquisition instruction, the container daemon inquires and obtains historical process data of the corresponding container based on the data acquisition instruction, and sends the historical process data of the corresponding container to the corresponding socket file.
After receiving the historical process data of the corresponding container, the socket file sends the historical process data to the corresponding collectors, so that each collector equivalently receives the historical process data which is sent by each container daemon and is used when all service containers running in the corresponding host node normally run.
According to the method and the device, data interaction is carried out through the socket file, and the data acquisition unit can acquire data without invading the inside of the service container. The non-perception collection mode can avoid the invasion of the service container and reduce the influence on the interior of the service container.
It is worth noting that the container daemon can monitor not only the process data of the service container, but also the process data of the privileged container. The historical process data acquired by the data collector may include historical process data in the business container or historical process data in the privileged container.
In order to better understand the way that the collector obtains the historical process data without perception, kubernets is taken as an example for explanation:
the Kubernetes system comprises a host node and a plurality of host slave nodes; scheduling unit pods, one pod comprising one or more containers, different pods constituting higher logical level controllers, such as: deployment, DaemonSet, stateful set, etc., which are collectively referred to as resources within the kubernets system.
The resources are logically divided by taking the name space as a dividing boundary, and the resources with different functions are divided in different name spaces. Referring to fig. 3, for example: all resources related to kubernets themselves are located in the kube-system namespace; under the condition of Default configuration, the service related resources of the user are positioned in a Default namespace or a self-defined service namespace; the service container is located in different name spaces according to different service types, for example, the service container of the service type A is located in a name space of a service 1, and the service container of the service type B is located in a name space of a service 2; while the privileged container and the controller are located in the secure container namespace. Resources in different namespaces have no relation and are in an isolated state.
Socket files are hung in each privileged container in fig. 3, and the data collector in the privileged container interacts with the container daemon of the host node through the socket files to obtain historical process data of all service containers on the host node, so that intrusion of the data collector to the service containers is avoided.
S111, aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating service containers, each mirror image corresponds to a plurality of service containers, and each mirror image corresponds to a detection model;
continuing to refer to fig. 2, after the acquisition module acquires the historical process data of each service container, the first message center module sends the historical process data of each service container to the controller, and the controller establishes a detection model based on the historical process data in each service container corresponding to the mirror image. Wherein the controller is deployed in a container cluster in container form; as shown in FIG. 3, the controller is located in the same namespace as the privileged container.
With continued reference to fig. 2, the controller includes: the system comprises a second message center module, a task dispatching module, a detection module and an alarm generating module. The second message center module is used for carrying out data interaction with the data acquisition unit in a communication mode of a message queue; the task dispatching module is used for calling the detection module for the parameter according to the received message (such as current process data); the detection module is used for controlling the detection model to self-learn and carry out abnormity detection; the alarm generating module is used for issuing alarm information.
The historical process data in each service container can be shown in table 1.
TABLE 1
As can be seen from table 1, the historical process data for each service container includes: the system comprises a container name, a container ID, a mirror image name, a process command line statement, a process belonged user, a process open file, a Process ID (PID), a father process ID, a CPU utilization rate and a memory utilization rate.
Because the life cycle of each service container is short and the behavior data of a single service container is single, in order to ensure the precision of the detection model, when the detection model is established, the controller classifies the historical data process data in each service container by taking the mirror image as a reference, and for each mirror image, the controller writes the classified historical process data into a pre-established database model table; each data item in the data model table is a detection model. The mirror images are used for creating service containers, each mirror image corresponds to a plurality of service containers, and each mirror image corresponds to one detection model.
Although the specific behavior process data of different containers created by the same mirror image may be different, the behavior patterns are similar, so that the historical process data of each container is classified by taking the mirror image as a unit, the diversification and the complexity of the process data can be improved, and when a detection model is established based on the classified process data, the detection precision of the detection model is improved.
Referring to fig. 4, for example, a service container corresponding to the mirror image a includes: container a1 … … An; the service container corresponding to the mirror image B comprises: container B1 … … Bn, and so on. Then for image a, the categorized historical process data includes the historical process data within container a1 … … An; for image B, the categorized historical process data includes the historical process data within container B1 … … Bn. Then for image a, the detection model corresponding to image a is established by using the historical process data in the classified container a1 … … An. The individual detection models can be as shown in table 2.
TABLE 2
As can be seen from table 2, the detection model includes: model data item, data item type, and data item value; the model data items include: mirror image identification ID, mirror image name, process list, model state and model creation time; wherein, the process list is the processes in all the service containers corresponding to the mirror image.
It should be noted that, when the controller receives historical process data classified for a certain mirror image, it needs to determine whether a detection model corresponding to the mirror image exists, and if not, the corresponding detection model is automatically established.
As an optional implementation, for each mirror image, after a detection model is established based on historical process data in each service container corresponding to the mirror image, the method includes:
and aiming at each mirror image, when new process data of the service container corresponding to the mirror image is received in a preset self-learning time period, updating the corresponding detection model according to the new process data so as to enable the detection model to learn and improve the detection precision of the detection model. The self-learning time period may be preset, for example, one month or one week. In the self-learning time, the model state of the detection model is 'training'; after the self-learning is finished, the model state of the detection model is ready, and when the model state of the detection model is ready, the process data can be automatically detected.
And S112, when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal.
After the detection model is established, for each process data, the detection model records information such as the historical maximum CPU utilization (CPU utilization threshold), the memory resource utilization threshold, the file name opened by the process, the user identity, the start path, and the like of each process data. And when the controller receives the current process data of each service container sent by the data collector, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal. Fig. 5 is referred to in the detection process.
As an optional embodiment, detecting current process data based on a corresponding detection model, and determining whether each service container environment is abnormal includes:
matching the current process data with a process list in a corresponding detection model;
if the matching result is that the memory resource utilization rate of the current process data exceeds the memory resource utilization rate threshold of the process in the detection model; or, if the matching result is that the CPU occupied by the current process data exceeds the CPU threshold of the process in the detection model, determining that the resource usage in the service container is abnormal.
For example, for the process f of the service container a, the memory resource utilization threshold of the process f in the detection model is 5%, and the CPU utilization threshold of the process f is 3%; and if the threshold value of the memory usage rate of the process f at the current moment is 6% or the threshold value of the memory usage rate of the process f at the current moment is 4%, determining that the resource usage in the service container A is abnormal.
Similarly, if the matching result is that the unknown file is opened in the current process; alternatively, the first and second electrodes may be,
and if the matching result is that unknown process numbers are created in the service container, determining that the process behaviors in the service container are abnormal.
If the matching result is that the blacklist process exists; alternatively, the first and second electrodes may be,
if the matching result is that the current process runs with the unknown user identity; alternatively, the first and second electrodes may be,
and if the matching result is that the current process is started from the unknown path, determining that the process attribute in the service container is abnormal.
Optionally, detecting the current process data based on the corresponding detection model, and after determining whether each service container environment is abnormal, the method further includes:
if the situation that the environment of the service container is abnormal is determined, the controller generates and pushes alarm information to the web interface in real time based on the detection result, and management personnel can know the abnormality according to the alarm information and position the cluster host machine node, the container and the process in the container where the abnormality is located so as to maintain the system in time. Wherein, the alarm information can be as shown in table 3.
TABLE 3
According to the method for detecting the container environment abnormity, because the container is created by the mirror image, one mirror image corresponds to a plurality of service containers; therefore, the method and the device establish a corresponding detection model for each mirror image based on the process data from all the service containers in the mirror image, and the obtained process data is diversified, so that the detection model can fully depict the behavior characteristics of all the service containers corresponding to the mirror image during normal service operation, and further the detection precision of the detection model can be ensured; in the container cluster, the number of the images is far smaller than that of the business containers, so that compared with a mode of modeling each container in the prior art, the modeling of the images can greatly reduce the modeling cost. In addition, the collector and the controller are both deployed in the cluster in a container mode, no separate management mechanism needs to be added, and the background management module can manage the containers where the collector and the controller are located in the same management mode as other containers; in order to reduce the influence on the service container, the privileged container is positioned in an independent naming space in the container cluster, so that the isolation from the service environment is realized, and the influence on the normal operation of the service container is avoided.
Based on the same inventive concept, the application also provides a device for detecting the environmental anomaly of the container, which is detailed in the second embodiment.
Example two
The present embodiment provides a container environment abnormality detection apparatus, as shown in fig. 6, the apparatus including: an acquisition module 61, an establishment module 62 and an abnormality detection module 63; wherein the content of the first and second substances,
an obtaining module 61, configured to collect, for a host node in a container cluster, historical process data of all service containers that normally run in each host node;
the establishing module 62 is used for establishing a detection model for each mirror image based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating service containers, each mirror image corresponds to a plurality of service containers, and each mirror image corresponds to a detection model;
and an anomaly detection module 63, configured to, when receiving the current process data of each service container, detect the current process data based on a corresponding detection model, and determine whether an environment of each service container is anomalous.
In the distributed system, a plurality of hosts exist, one host is a node, and a plurality of containers are deployed in each host node to form a container cluster.
In order to ensure the processing efficiency of each host node, after the containers are created, a background management module of the distributed system uniformly deploys the containers; and the background management unit determines an optimal deployment mode according to the current resource occupancy rate of each host node. In this way, even different containers created by the same image may be deployed in different host nodes.
Aiming at the host machine nodes in the container cluster, historical process data of all service containers in each host machine node in normal operation are collected, so that a detection model can be established according to the historical process data.
Specifically, the obtaining module 61 collects historical process data of all service containers running in each host node, and the implementation is as follows:
creating a corresponding privilege container in each host node, as shown in fig. 2, the privilege container includes: a data acquisition unit; the data collector comprises: the system comprises an acquisition module, a timing module and a first message center module; the acquisition module is used for acquiring historical process data of the service container, and the timing module is used for setting an acquisition period; the first message center module is used for data interaction with the controller based on the communication mode of the message queue, such as: and sending the collected historical process data to the controller.
The data collector is deployed in each host node in the form of a container, and is in the same position as other service containers, system containers and the like in the system in the container cluster, so that a background management unit of the system can conveniently manage the privileged containers in the same management mode as other containers, such as deployment, arrangement, scheduling and the like of the privileged containers. And in order to reduce the influence on the service container, the privileged container is positioned in an independent name space in the container cluster, so that the isolation from the service environment is realized.
In order to collect historical process data of all containers in each host node, each socket file is mounted to a corresponding privilege container, and each privilege container is mounted with one socket file. The socket file is a local file monitored by a container daemon, one container daemon exists in each host node, and the container daemon is used for managing life cycles (such as creation, suspension, continuation, destruction and the like of containers) of all service containers in the host node; wherein the socket file may include unixsockets.
Based on the acquisition period set in the timing module, each acquisition module sends a data acquisition instruction to the corresponding socket file, and the socket file sends the data acquisition instruction to the corresponding container daemon; and after receiving the data acquisition instruction, the container daemon acquires historical process data of the corresponding container based on the data acquisition instruction, and sends the historical process data of the corresponding container to the corresponding socket file.
After receiving the historical process data of the corresponding service container, the socket file sends the historical process data to the corresponding data collector, so that each acquisition module 61 is equivalent to receiving the historical process data of all service containers running in the corresponding host node, which is sent by each container daemon.
According to the method and the system, data interaction is carried out through the socket file, and the acquisition module can acquire data without invading the interior of the service container. The non-perception collection mode can avoid the invasion of the service container and reduce the influence on the interior of the service container.
It is worth noting that the container daemon can monitor not only the process data of the service container, but also the process data of the privileged container. The historical process data acquired by the acquisition module may include historical process data in the service container or historical process data in the privileged container.
In order to better understand the way that the collector obtains the historical process data without perception, kubernets is taken as an example for explanation:
the Kubernetes system comprises a host node and a plurality of host slave nodes; scheduling unit pods, one pod comprising one or more containers, different pods constituting higher logical level controllers, such as: deployment, DaemonSet, stateful set, etc., which are collectively referred to as resources within the kubernets system.
The resources are logically divided by taking the name space as a dividing boundary, and the resources with different functions are divided in different name spaces. Referring to fig. 3, for example: all resources related to kubernets themselves are located in the kube-system namespace; under the condition of Default configuration, the service related resources of the user are positioned in a Default namespace or a self-defined service namespace; the service container is located in different name spaces according to different service types, for example, the service container of the service type A is located in a name space of a service 1, and the service container of the service type B is located in a name space of a service 2; while the privileged container and the controller are located in the secure container namespace. Resources in different namespaces have no relation and are in an isolated state.
Socket files are hung in each privileged container in fig. 3, and the data collector in the privileged container interacts with the container daemon of the host node through the socket files to obtain historical process data of all service containers on the host node, so that intrusion of the collection module to the service containers is avoided.
With reference to fig. 2, after the obtaining module 61 obtains the historical process data of each service container, the historical process data of each service container is sent to the controller, and the establishing module 62 establishes a detection model based on the historical process data in each service container corresponding to the mirror image. Wherein the establishing module 62 may be implemented by a controller, the controller being deployed in a container cluster in the form of a container; as shown in FIG. 3, the controller is located in the same namespace as the privileged container.
With continued reference to fig. 2, the controller includes: the system comprises a second message center module, a task dispatching module, a detection module and an alarm generating module. The second message center module is used for carrying out data interaction with the data acquisition unit in a communication mode of a message queue; the task dispatching module is used for calling the detection module for the parameter according to the received message (such as current process data); the detection module is used for controlling the detection model to self-learn and carry out abnormity detection; the alarm generating module is used for issuing alarm information. The historical process data in each service container can be shown in table 1.
TABLE 1
As can be seen from table 1, the historical process data for each service container includes: the system comprises a container name, a container ID, a mirror image name, a process command line statement, a process belonged user, a process open file, a Process ID (PID), a father process ID, a CPU utilization rate and a memory utilization rate.
Because the life cycle of each service container is relatively short and the behavior data of a single service container is relatively single, in order to ensure the precision of the detection model, when the detection model is established, the establishing module 62 classifies the historical data process data in each service container by taking a mirror image as a reference, and for each mirror image, the establishing module 62 writes the classified historical process data into a pre-established database model table; each data item in the data model table is a detection model. The mirror images are used for creating service containers, each mirror image corresponds to a plurality of service containers, and each mirror image corresponds to one detection model.
Although the specific behavior process data of different containers created by the same mirror image may be different, the behavior patterns are similar, so that the historical process data of each container is classified by taking the mirror image as a unit, the diversification and the complexity of the process data can be improved, and when a detection model is established based on the classified process data, the detection precision of the detection model is improved.
Referring to fig. 4, for example, a service container corresponding to the mirror image a includes: container a1 … … An; the service container corresponding to the mirror image B comprises: container B1 … … Bn, and so on. Then for image a, the categorized historical process data includes the historical process data within container a1 … … An; for image B, the categorized historical process data includes the historical process data within container B1 … … Bn. Then for image a, the detection model corresponding to image a is established by using the historical process data in the classified container a1 … … An. The individual detection models can be as shown in table 2.
TABLE 2
As can be seen from table 2, the detection model includes: model data item, data item type, and data item value; the model data items include: mirror image identification ID, mirror image name, process list, model state and model creation time; wherein, the process list is the processes in all the service containers corresponding to the mirror image.
It should be noted that, when the establishing module 62 receives historical process data classified for a certain mirror image, it needs to determine whether a detection model corresponding to the mirror image exists, and if not, the corresponding detection model is automatically established.
As an optional implementation, the establishing module 62 is configured to, after establishing a detection model for each mirror image based on historical process data in each service container corresponding to the mirror image, further:
and aiming at each mirror image, when new process data of the service container corresponding to the mirror image is received in a preset self-learning time period, updating the corresponding detection model according to the new process data so as to train the detection model and improve the detection precision of the detection model. The self-learning time period may be preset, for example, one month or one week. In the self-learning time, the model state of the detection model is 'training'; after the self-learning is finished, the model state of the detection model is ready, and when the model state of the detection model is ready, the process data can be automatically detected.
After the detection model is established, for each process data, the detection model records information such as the historical maximum CPU utilization (CPU utilization threshold), the memory resource utilization threshold, the file name opened by the process, the user identity, the start path, and the like of each process data. And when the controller receives the current process data of each service container sent by the collector, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal. Fig. 5 is referred to in the detection process.
As an alternative embodiment, the detecting module 63 detects current process data based on a corresponding detection model, and determines whether each service container environment is abnormal, where the determining includes:
matching the current process data with a process list in a corresponding detection model;
if the matching result is that the memory resource utilization rate of the current process data exceeds the memory resource utilization rate threshold of the process in the detection model; or, if the matching result is that the CPU occupied by the current process data exceeds the CPU threshold of the process in the detection model, determining that the resource usage in the service container is abnormal. The anomaly detection module 63 may be implemented by a controller.
For example, for the process f of the service container a, the memory resource utilization threshold of the process f in the detection model is 5%, and the CPU utilization threshold of the process f is 3%; and if the threshold value of the memory usage rate of the process f at the current moment is 6% or the threshold value of the memory usage rate of the process f at the current moment is 4%, determining that the resource usage in the service container A is abnormal.
Similarly, if the matching result is that the unknown file is opened in the current process; alternatively, the first and second electrodes may be,
and if the matching result is that unknown process numbers are created in the service container, determining that the process behaviors in the service container are abnormal.
If the matching result is that the blacklist process exists; alternatively, the first and second electrodes may be,
if the matching result is that the current process runs with the unknown user identity; alternatively, the first and second electrodes may be,
and if the matching result is that the current process is started from the unknown path, determining that the process attribute in the service container is abnormal.
Optionally, detecting the current process data based on the corresponding detection model, and after determining whether each service container environment is abnormal, the method further includes:
if the situation that the environment of the service container is abnormal is determined, the controller generates and pushes alarm information to the web interface in real time based on the detection result, and management personnel can know the abnormality according to the alarm information and position the cluster host machine node, the container and the process in the container where the abnormality is located so as to maintain the system in time. Wherein, the alarm information can be as shown in table 3.
TABLE 3
The method, the device, the medium and the computer equipment for detecting the container environment abnormity have the advantages that at least:
the application provides a method, a device, a medium and a computer device for detecting container environment abnormity, wherein the method comprises the following steps: aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run; aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model; when current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether each service container environment is abnormal or not; thus, because the containers are created by mirror images, one mirror image corresponds to a plurality of service containers; therefore, the method and the device establish a corresponding detection model for each mirror image based on the process data from all the service containers in the mirror image, and the obtained process data is diversified, so that the detection model can fully depict the behavior characteristics of all the service containers corresponding to the mirror image during normal service operation, and further the detection precision of the detection model can be ensured; in the container cluster, the number of the images is far smaller than that of the business containers, so that compared with a mode of modeling each container in the prior art, the modeling of the images can greatly reduce the modeling cost. In addition, the collector and the controller are both deployed in the cluster in a container mode, no separate management mechanism needs to be added, and the background management module can manage the containers where the collector and the controller are located in the same management mode as other containers; in order to reduce the influence on the service container, the privileged container is positioned in an independent naming space in the container cluster, so that the isolation from the service environment is realized, and the influence on the normal operation of the service container is avoided.
EXAMPLE III
The present embodiment provides a computer apparatus, as shown in fig. 7, including a memory 70, a processor 71, and a computer program 72 stored on the memory 70 and executable on the processor 71, where the processor 71 executes the computer program 72 to implement the following steps:
aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run;
aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not.
Since the computer device described in this embodiment is a device used for implementing the method for detecting an abnormal environment of a container in the first embodiment of the present application, a person skilled in the art can understand a specific implementation manner of the computer device of this embodiment and various variations thereof based on the method described in the first embodiment of the present application, and therefore, how to implement the method in the embodiment of the present application by the server is not described in detail herein. The equipment used by those skilled in the art to implement the methods in the embodiments of the present application is within the scope of the present application.
Based on the same inventive concept, the application provides a storage medium corresponding to the fourth embodiment, which is described in detail in the fourth embodiment.
Example four
The present embodiment provides a computer-readable storage medium 80, as shown in fig. 8, on which a computer program 81 is stored, the computer program 81 realizing the following steps when executed by a processor:
aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run;
aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not.
In a specific implementation, the computer program 81 may implement any one of the first embodiment when executed by a processor.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The present application is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the application. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
While the preferred embodiments of the present application have been described, additional variations and modifications in those embodiments may occur to those skilled in the art once they learn of the basic inventive concepts. Therefore, it is intended that the appended claims be interpreted as including preferred embodiments and all alterations and modifications as fall within the scope of the application.
The above description is only exemplary of the present application and should not be taken as limiting the scope of the present application, as any modifications, equivalents, improvements, etc. made within the spirit and principle of the present application should be included in the scope of the present application.
Claims (10)
1. A method of container environmental anomaly detection, the method comprising:
aiming at host machine nodes in a container cluster, acquiring historical process data of all service containers in each host machine node when the service containers normally run;
aiming at each mirror image, establishing a detection model based on historical process data in each service container corresponding to the mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and when the current process data of each service container is received, detecting the current process data based on the corresponding detection model, and judging whether the environment of each service container is abnormal or not.
2. The method of claim 1, wherein said obtaining historical process data for normal operation of all traffic containers in each of said host nodes comprises:
creating a corresponding privilege container in each host node, wherein the privilege container comprises a data collector;
mounting each socket file into the corresponding privilege container; the socket file is a file monitored by a container daemon process, one container daemon process exists in each host node, and the container daemon process is used for managing the life cycle of all service containers in the host node;
based on a preset acquisition period, sending a data acquisition instruction to the corresponding socket file through each data acquisition unit so that the socket file sends the data acquisition instruction to the corresponding container daemon;
and receiving historical process data which is sent by each container daemon process and corresponds to the normal operation of all service containers operated in the host node.
3. The method of claim 1, wherein the establishing, for each image, a detection model based on historical process data within the business container to which the image corresponds comprises:
classifying historical process data in each business container by taking the mirror image as a reference;
for each mirror image, writing the classified historical process data into a pre-established database model table through a controller; each data item in the data model table is one of the detection models; wherein the controller is deployed in the container cluster in container form.
4. The method of claim 1, wherein the establishing, for each image, a detection model based on historical process data in the service containers corresponding to the image comprises:
and for each mirror image, when new process data of the service container corresponding to the mirror image is received in a preset self-learning time period, updating the corresponding detection model according to the new process data.
5. The method of claim 1, wherein the detecting the current process data based on the corresponding detection model and determining whether each of the service container environments is abnormal comprises:
matching the current process data with a process list in the corresponding detection model;
if the matching result is that the memory resource utilization rate of the current process data exceeds the memory resource utilization rate threshold value in the detection model; alternatively, the first and second electrodes may be,
and if the matching result is that the CPU occupied by the current process data exceeds the CPU threshold value in the detection model, determining that the resource in the service container is abnormal in use.
6. The method of claim 5, wherein the method further comprises:
if the matching result is that the unknown file is opened in the current process; alternatively, the first and second electrodes may be,
and if the matching result is that an unknown process number is created in the service container, determining that the process behavior in the service container is abnormal.
7. The method of claim 5, wherein the method further comprises:
if the matching result is that a blacklist process exists; alternatively, the first and second electrodes may be,
if the matching result is that the current process runs with an unknown user identity; alternatively, the first and second electrodes may be,
and if the matching result is that the current process is started from an unknown path, determining that the process attribute in the service container is abnormal.
8. An apparatus for anomaly detection of a container environment, said apparatus comprising:
the acquisition module is used for acquiring historical process data of all service containers in each host machine node when the service containers normally run aiming at the host machine nodes in the container cluster;
the establishing module is used for establishing a detection model based on historical process data in each business container corresponding to each mirror image; the mirror images are used for creating the service containers, each mirror image corresponds to a plurality of the service containers, and each mirror image corresponds to one detection model;
and the detection module is used for detecting the current process data based on the corresponding detection model when the current process data of each service container is received, and judging whether the environment of each service container is abnormal or not.
9. A computer-readable storage medium, on which a computer program is stored, which program, when being executed by a processor, is adapted to carry out the method of any one of claims 1 to 7.
10. A computer device comprising a memory, a processor and a computer program stored on the memory and executable on the processor, characterized in that the processor implements the method of any of claims 1 to 7 when executing the program.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010613033.9A CN111813497A (en) | 2020-06-30 | 2020-06-30 | Container environment anomaly detection method, device, medium and computer equipment |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202010613033.9A CN111813497A (en) | 2020-06-30 | 2020-06-30 | Container environment anomaly detection method, device, medium and computer equipment |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN111813497A true CN111813497A (en) | 2020-10-23 |
Family
ID=72856597
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202010613033.9A Pending CN111813497A (en) | 2020-06-30 | 2020-06-30 | Container environment anomaly detection method, device, medium and computer equipment |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN111813497A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190369A (en) * | 2021-04-21 | 2021-07-30 | 北京海博思创科技股份有限公司 | Data processing method, device, equipment and storage medium |
| CN113872954A (en) * | 2021-09-23 | 2021-12-31 | 绿盟科技集团股份有限公司 | Data flow detection method |
| CN114154160A (en) * | 2022-02-08 | 2022-03-08 | 中国电子信息产业集团有限公司第六研究所 | Container cluster monitoring method and device, electronic equipment and storage medium |
| CN114615028A (en) * | 2022-02-25 | 2022-06-10 | 北京小佑网络科技有限公司 | Method for identifying abnormal behavior of container based on normal behavior modeling of container |
| WO2023160010A1 (en) * | 2022-02-28 | 2023-08-31 | 中兴通讯股份有限公司 | Security detection method and apparatus, electronic device and storage medium |
Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130219456A1 (en) * | 2012-01-06 | 2013-08-22 | Rahul Sharma | Secure Virtual File Management System |
| CN103365758A (en) * | 2013-08-05 | 2013-10-23 | 北京搜狐新媒体信息技术有限公司 | Process monitoring method and system in virtualization environment |
| CN104915285A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Container process monitoring method, device and system |
| US9256467B1 (en) * | 2014-11-11 | 2016-02-09 | Amazon Technologies, Inc. | System for managing and scheduling containers |
| CN105915378A (en) * | 2016-01-04 | 2016-08-31 | 中国电子科技网络信息安全有限公司 | Container-application-based cross-platform unified management system |
| CN106776005A (en) * | 2016-11-23 | 2017-05-31 | 华中科技大学 | A kind of resource management system and method towards containerization application |
| CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
| CN109086119A (en) * | 2018-07-30 | 2018-12-25 | 南京卓盛云信息科技有限公司 | A kind of method of quick detection container operating status |
| CN109753417A (en) * | 2018-12-17 | 2019-05-14 | 新视家科技(北京)有限公司 | Abnormal process management method and its device, electronic equipment, computer-readable medium |
| US20190190771A1 (en) * | 2017-12-20 | 2019-06-20 | Gemini Open Cloud Computing Inc. | Cloud service management method |
| CN110188574A (en) * | 2019-06-06 | 2019-08-30 | 上海帆一尚行科技有限公司 | A kind of the webpage tamper resistant systems and its method of Docker container |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
| US20200201650A1 (en) * | 2018-12-20 | 2020-06-25 | Microsoft Technology Licensing, Llc | Automatic anomaly detection in computer processing pipelines |
-
2020
- 2020-06-30 CN CN202010613033.9A patent/CN111813497A/en active Pending
Patent Citations (13)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US20130219456A1 (en) * | 2012-01-06 | 2013-08-22 | Rahul Sharma | Secure Virtual File Management System |
| CN103365758A (en) * | 2013-08-05 | 2013-10-23 | 北京搜狐新媒体信息技术有限公司 | Process monitoring method and system in virtualization environment |
| US9256467B1 (en) * | 2014-11-11 | 2016-02-09 | Amazon Technologies, Inc. | System for managing and scheduling containers |
| CN104915285A (en) * | 2015-06-30 | 2015-09-16 | 北京奇虎科技有限公司 | Container process monitoring method, device and system |
| CN105915378A (en) * | 2016-01-04 | 2016-08-31 | 中国电子科技网络信息安全有限公司 | Container-application-based cross-platform unified management system |
| CN106776005A (en) * | 2016-11-23 | 2017-05-31 | 华中科技大学 | A kind of resource management system and method towards containerization application |
| US20190190771A1 (en) * | 2017-12-20 | 2019-06-20 | Gemini Open Cloud Computing Inc. | Cloud service management method |
| CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
| CN109086119A (en) * | 2018-07-30 | 2018-12-25 | 南京卓盛云信息科技有限公司 | A kind of method of quick detection container operating status |
| CN109753417A (en) * | 2018-12-17 | 2019-05-14 | 新视家科技(北京)有限公司 | Abnormal process management method and its device, electronic equipment, computer-readable medium |
| US20200201650A1 (en) * | 2018-12-20 | 2020-06-25 | Microsoft Technology Licensing, Llc | Automatic anomaly detection in computer processing pipelines |
| CN110188574A (en) * | 2019-06-06 | 2019-08-30 | 上海帆一尚行科技有限公司 | A kind of the webpage tamper resistant systems and its method of Docker container |
| CN110851241A (en) * | 2019-11-20 | 2020-02-28 | 杭州安恒信息技术股份有限公司 | Safety protection method, device and system for Docker container environment |
Non-Patent Citations (3)
| Title |
|---|
| RYO NAKAMURA 等: "Grafting Sockets for Fast Container Networking", 《ACM》, 18 July 2018 (2018-07-18) * |
| 宋亚峰 等: "基于RFID技术的核燃料储运一体化管控平台", 《计算机科学》, 30 June 2012 (2012-06-30) * |
| 陈金窗: "《Prometheus监控技术与实践》", 31 March 2020, 《北京:机械工业出版社》, pages: 209 - 213 * |
Cited By (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113190369A (en) * | 2021-04-21 | 2021-07-30 | 北京海博思创科技股份有限公司 | Data processing method, device, equipment and storage medium |
| CN113872954A (en) * | 2021-09-23 | 2021-12-31 | 绿盟科技集团股份有限公司 | Data flow detection method |
| CN113872954B (en) * | 2021-09-23 | 2024-02-20 | 绿盟科技集团股份有限公司 | Method for detecting data flow |
| CN114154160A (en) * | 2022-02-08 | 2022-03-08 | 中国电子信息产业集团有限公司第六研究所 | Container cluster monitoring method and device, electronic equipment and storage medium |
| CN114615028A (en) * | 2022-02-25 | 2022-06-10 | 北京小佑网络科技有限公司 | Method for identifying abnormal behavior of container based on normal behavior modeling of container |
| WO2023160010A1 (en) * | 2022-02-28 | 2023-08-31 | 中兴通讯股份有限公司 | Security detection method and apparatus, electronic device and storage medium |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN111813497A (en) | Container environment anomaly detection method, device, medium and computer equipment | |
| US10747591B2 (en) | Endpoint process state collector | |
| CN107689953B (en) | Multi-tenant cloud computing-oriented container security monitoring method and system | |
| CN106776212B (en) | Supervision system and method for container cluster deployment of multi-process application | |
| CN111459763B (en) | Cross-kubernetes cluster monitoring system and method | |
| CN104618693B (en) | A kind of monitor video based on cloud computing handles task management method and system online | |
| WO2023142054A1 (en) | Container microservice-oriented performance monitoring and alarm method and alarm system | |
| CN105512027B (en) | Process status monitoring method and device | |
| CN110175451A (en) | A kind of method for safety monitoring and system based on electric power cloud | |
| CN105335214A (en) | Virtual machine failure detection and recovery method | |
| CN106371974A (en) | Monitoring method of application program in Docker container and publishing platform | |
| CN1996257A (en) | Method and system for monitoring process | |
| CN102739802A (en) | Service application-oriented IT contralized operation and maintenance analyzing system | |
| CN110650038A (en) | Security event log collecting and processing method and system for multiple classes of supervision objects | |
| CN113949652B (en) | User abnormal behavior detection method and device based on artificial intelligence and related equipment | |
| CN108694093A (en) | Process exception monitoring method and device | |
| CN114356499A (en) | Kubernetes cluster alarm root cause analysis method and device | |
| CN108009004B (en) | Docker-based method for realizing measurement and monitoring of availability of service application | |
| CN107666399A (en) | A kind of method and apparatus of monitoring data | |
| CN109995571B (en) | Method and device for matching server configuration and VNF application | |
| CN110198246B (en) | Method and system for monitoring flow | |
| CN113806176A (en) | Data object identification method and device based on configuration management | |
| CN107888438A (en) | A kind of automatic sensing based on flow table technology and the method and system for adapting to cloud environment change | |
| CN108959024A (en) | A kind of cluster monitoring method and apparatus | |
| CN107515772A (en) | A kind of detection KVM virtual machines hang dead method and device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |