CN111819556A - 容器逃逸检测方法、装置、系统及存储介质 - Google Patents
容器逃逸检测方法、装置、系统及存储介质 Download PDFInfo
- Publication number
- CN111819556A CN111819556A CN201880091015.XA CN201880091015A CN111819556A CN 111819556 A CN111819556 A CN 111819556A CN 201880091015 A CN201880091015 A CN 201880091015A CN 111819556 A CN111819556 A CN 111819556A
- Authority
- CN
- China
- Prior art keywords
- container
- escape
- escape detection
- monitored
- component
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
- 238000001514 detection method Methods 0.000 title claims abstract description 362
- 238000000034 method Methods 0.000 claims abstract description 280
- 238000012544 monitoring process Methods 0.000 claims abstract description 172
- 230000001960 triggered effect Effects 0.000 claims abstract description 38
- 230000008569 process Effects 0.000 claims description 216
- 230000007704 transition Effects 0.000 claims description 28
- 238000012550 audit Methods 0.000 claims description 27
- 238000003066 decision tree Methods 0.000 claims description 20
- 230000006399 behavior Effects 0.000 claims description 12
- 238000010586 diagram Methods 0.000 description 17
- 238000012545 processing Methods 0.000 description 6
- 230000002265 prevention Effects 0.000 description 5
- 230000000712 assembly Effects 0.000 description 4
- 238000000429 assembly Methods 0.000 description 4
- 238000005336 cracking Methods 0.000 description 4
- 241000700605 Viruses Species 0.000 description 3
- 238000005516 engineering process Methods 0.000 description 3
- 238000000605 extraction Methods 0.000 description 3
- 230000000977 initiatory effect Effects 0.000 description 3
- 230000003287 optical effect Effects 0.000 description 3
- 238000004590 computer program Methods 0.000 description 2
- 238000011112 process operation Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000006872 improvement Effects 0.000 description 1
- 238000013178 mathematical model Methods 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 238000012806 monitoring device Methods 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/54—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by adding security routines or objects to programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/554—Detecting local intrusion or implementing counter-measures involving event detection and direct action
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45545—Guest-host, i.e. hypervisor is an application program itself, e.g. VirtualBox
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Computer Security & Cryptography (AREA)
- Theoretical Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Debugging And Monitoring (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
一种容器逃逸检测方法、装置、系统及存储介质,涉及容器安全领域,其中方法包括:逃逸检测组件(12)接收所述容器监测组件(11)上报的被监测容器触发的多个系统调用的信息,逃逸检测组件(12)将所述多个系统调用的发生顺序与逃逸检测规则中的至少一组预设系统调用顺序进行匹配,并根据匹配结果确定所述被监测容器是否发生逃逸,逃逸检测规则中的每组预设系统调用顺序对应于一种容器逃逸行为所触发的多个系统调用的预测发生顺序。能够提高防范容器逃逸的力度。
Description
PCT国内申请,说明书已公开。
Claims (27)
- PCT国内申请,权利要求书已公开。
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
PCT/CN2018/079338 WO2019174048A1 (zh) | 2018-03-16 | 2018-03-16 | 容器逃逸检测方法、装置、系统及存储介质 |
CNPCT/CN2018/079338 | 2018-03-16 | ||
PCT/CN2018/102667 WO2019174193A1 (zh) | 2018-03-16 | 2018-08-28 | 容器逃逸检测方法、装置、系统及存储介质 |
Publications (2)
Publication Number | Publication Date |
---|---|
CN111819556A true CN111819556A (zh) | 2020-10-23 |
CN111819556B CN111819556B (zh) | 2024-04-09 |
Family
ID=67908604
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN201880091015.XA Active CN111819556B (zh) | 2018-03-16 | 2018-08-28 | 容器逃逸检测方法、装置、系统及存储介质 |
Country Status (4)
Country | Link |
---|---|
US (1) | US11989283B2 (zh) |
EP (1) | EP3761198B1 (zh) |
CN (1) | CN111819556B (zh) |
WO (2) | WO2019174048A1 (zh) |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113553598A (zh) * | 2021-09-18 | 2021-10-26 | 云宏信息科技股份有限公司 | 操作系统的完整性校验方法、可读存储介质及校验系统 |
CN115373798A (zh) * | 2022-07-25 | 2022-11-22 | 国网新疆电力有限公司乌鲁木齐供电公司 | 一种智能物联终端容器逃逸攻击检测和防御方法 |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109033405B (zh) | 2018-08-03 | 2020-09-08 | 华为技术有限公司 | 维护区块链的方法和装置、服务器和计算机可读存储介质 |
US11062022B1 (en) * | 2019-05-01 | 2021-07-13 | Intuit Inc. | Container packaging device |
CN111221625B (zh) * | 2019-12-31 | 2023-08-04 | 北京水滴科技集团有限公司 | 文件检测方法、装置及设备 |
CN111310180A (zh) * | 2020-02-18 | 2020-06-19 | 上海迅软信息科技有限公司 | 一种企业信息安全用计算机进程防冒充方法 |
CN111881453A (zh) * | 2020-07-20 | 2020-11-03 | 北京百度网讯科技有限公司 | 一种容器逃逸检测方法、装置以及电子设备 |
CN113221103B (zh) * | 2021-05-08 | 2022-09-20 | 山东英信计算机技术有限公司 | 一种容器安全防护方法、系统及介质 |
CN113761537A (zh) * | 2021-07-29 | 2021-12-07 | 苏州浪潮智能科技有限公司 | 一种防范容器逃逸的方法、系统、设备、存储介质 |
US11983268B2 (en) * | 2022-02-15 | 2024-05-14 | Palo Alto Networks, Inc. | Prevention of container escape-based attacks of a host system |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
CN105608374A (zh) * | 2015-12-18 | 2016-05-25 | 北京奇虎科技有限公司 | 虚拟机逃逸的检测方法及装置 |
US20170109536A1 (en) * | 2015-10-15 | 2017-04-20 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
US20170116415A1 (en) * | 2015-10-01 | 2017-04-27 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
CN106778257A (zh) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | 一种虚拟机防逃逸装置 |
CN107679399A (zh) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | 一种基于容器的恶意代码检测沙盒系统及检测方法 |
Family Cites Families (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8272048B2 (en) * | 2006-08-04 | 2012-09-18 | Apple Inc. | Restriction of program process capabilities |
US9037854B2 (en) * | 2013-01-22 | 2015-05-19 | Amazon Technologies, Inc. | Privileged cryptographic services in a virtualized environment |
CN105590054A (zh) * | 2014-11-11 | 2016-05-18 | 航天恒星科技有限公司 | 虚拟机进程监控的方法、装置及系统 |
US20160379136A1 (en) * | 2015-06-26 | 2016-12-29 | Qualcomm Incorporated | Methods and Systems for Automatic Extraction of Behavioral Features from Mobile Applications |
CN104915285B (zh) * | 2015-06-30 | 2018-08-14 | 北京奇虎科技有限公司 | 一种容器进程监控方法、装置及系统 |
KR102294568B1 (ko) | 2015-08-19 | 2021-08-26 | 삼성에스디에스 주식회사 | 컨테이너 이미지 보안 검사 방법 및 그 장치 |
US9521115B1 (en) | 2016-03-24 | 2016-12-13 | Varmour Networks, Inc. | Security policy generation using container metadata |
US10791134B2 (en) * | 2016-12-21 | 2020-09-29 | Threat Stack, Inc. | System and method for cloud-based operating system event and data access monitoring |
US10824745B2 (en) * | 2017-04-19 | 2020-11-03 | Servicenow, Inc. | System for accessing a kernel space of an operating system with access control functionality |
-
2018
- 2018-03-16 WO PCT/CN2018/079338 patent/WO2019174048A1/zh active Application Filing
- 2018-08-28 CN CN201880091015.XA patent/CN111819556B/zh active Active
- 2018-08-28 WO PCT/CN2018/102667 patent/WO2019174193A1/zh unknown
- 2018-08-28 EP EP18909785.0A patent/EP3761198B1/en active Active
-
2020
- 2020-09-15 US US17/021,428 patent/US11989283B2/en active Active
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20150264077A1 (en) * | 2014-03-13 | 2015-09-17 | International Business Machines Corporation | Computer Implemented Techniques for Detecting, Investigating and Remediating Security Violations to IT Infrastructure |
US20170116415A1 (en) * | 2015-10-01 | 2017-04-27 | Twistlock, Ltd. | Profiling of container images and enforcing security policies respective thereof |
US20170109536A1 (en) * | 2015-10-15 | 2017-04-20 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
CN105608374A (zh) * | 2015-12-18 | 2016-05-25 | 北京奇虎科技有限公司 | 虚拟机逃逸的检测方法及装置 |
CN106778257A (zh) * | 2016-12-08 | 2017-05-31 | 北京国电通网络技术有限公司 | 一种虚拟机防逃逸装置 |
CN107679399A (zh) * | 2017-10-19 | 2018-02-09 | 郑州云海信息技术有限公司 | 一种基于容器的恶意代码检测沙盒系统及检测方法 |
Non-Patent Citations (2)
Title |
---|
BO LI ET AL: "A VMM-based System Call Interposition Framework for Program Monitoring", 《2010 IEEE 16TH INTERNATIONAL CONFERENCE ON PARALLEL AND DISTRIBUTED SYSTEMS》, pages 706 - 711 * |
杨爱民;高放;边敏华;杨曙磊;: "基于层次分析―模糊评价的云计算安全评估与对策", 通信学报, no. 1, 30 October 2016 (2016-10-30) * |
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN113553598A (zh) * | 2021-09-18 | 2021-10-26 | 云宏信息科技股份有限公司 | 操作系统的完整性校验方法、可读存储介质及校验系统 |
CN115373798A (zh) * | 2022-07-25 | 2022-11-22 | 国网新疆电力有限公司乌鲁木齐供电公司 | 一种智能物联终端容器逃逸攻击检测和防御方法 |
Also Published As
Publication number | Publication date |
---|---|
EP3761198A1 (en) | 2021-01-06 |
CN111819556B (zh) | 2024-04-09 |
WO2019174048A1 (zh) | 2019-09-19 |
US11989283B2 (en) | 2024-05-21 |
WO2019174193A1 (zh) | 2019-09-19 |
EP3761198B1 (en) | 2023-07-26 |
US20200410089A1 (en) | 2020-12-31 |
EP3761198A4 (en) | 2021-04-28 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN111819556B (zh) | 容器逃逸检测方法、装置、系统及存储介质 | |
US9596257B2 (en) | Detection and prevention of installation of malicious mobile applications | |
CN102651061B (zh) | 用于检测复杂恶意软件的系统和方法 | |
RU2645268C2 (ru) | Сложное классифицирование для выявления вредоносных программ | |
RU2568295C2 (ru) | Система и способ временной защиты операционной системы программно-аппаратных устройств от приложений, содержащих уязвимости | |
EP3111364B1 (en) | Systems and methods for optimizing scans of pre-installed applications | |
US10462160B2 (en) | Method and system for identifying uncorrelated suspicious events during an attack | |
CN105580022A (zh) | 使用声誉指示符来促进恶意软件扫描的系统和方法 | |
KR102116573B1 (ko) | 컴퓨터 보안 작동을 최적화하기 위한 동적 명성 표시자 | |
KR20160054589A (ko) | 멀웨어 및 익스플로잇 캠패인 검출 시스템 및 방법 | |
CN102882875B (zh) | 主动防御方法及装置 | |
CN112995236B (zh) | 一种物联网设备安全管控方法、装置和系统 | |
US20180026986A1 (en) | Data loss prevention system and data loss prevention method | |
CN111183620B (zh) | 入侵调查 | |
CN115904605A (zh) | 软件防御方法以及相关设备 | |
US9894045B1 (en) | Determining application reputation based on deviations in security rating scores | |
CN109997138A (zh) | 用于检测计算设备上的恶意进程的系统和方法 | |
CN102857519B (zh) | 主动防御系统 | |
KR102382889B1 (ko) | 프로세스 정보를 사용하여 웹쉘을 탐지하는 방법 및 시스템 | |
CN110659478B (zh) | 在隔离的环境中检测阻止分析的恶意文件的方法 | |
US11449610B2 (en) | Threat detection system | |
KR101934381B1 (ko) | 해킹툴 탐지 방법 및 이를 수행하는 사용자 단말 및 서버 | |
US10061924B1 (en) | Detecting malicious code based on deviations in executable image import resolutions and load patterns | |
CN113504971B (zh) | 基于容器的安全拦截方法及系统 | |
Hovmark et al. | Towards Extending Probabilistic Attack Graphs with Forensic Evidence: An investigation of property list files in macOS |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
TA01 | Transfer of patent application right | ||
TA01 | Transfer of patent application right |
Effective date of registration: 20220304 Address after: 550025 Huawei cloud data center, jiaoxinggong Road, Qianzhong Avenue, Gui'an New District, Guiyang City, Guizhou Province Applicant after: Huawei Cloud Computing Technology Co.,Ltd. Address before: 518129 Bantian HUAWEI headquarters office building, Longgang District, Guangdong, Shenzhen Applicant before: HUAWEI TECHNOLOGIES Co.,Ltd. |
|
GR01 | Patent grant | ||
GR01 | Patent grant |