CN113177204B - Container mirror image security detection method, terminal device and storage medium - Google Patents
Container mirror image security detection method, terminal device and storage medium Download PDFInfo
- Publication number
- CN113177204B CN113177204B CN202110397750.7A CN202110397750A CN113177204B CN 113177204 B CN113177204 B CN 113177204B CN 202110397750 A CN202110397750 A CN 202110397750A CN 113177204 B CN113177204 B CN 113177204B
- Authority
- CN
- China
- Prior art keywords
- software package
- mirror image
- container
- software
- scanned
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/562—Static detection
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F8/00—Arrangements for software engineering
- G06F8/60—Software deployment
- G06F8/61—Installation
- G06F8/63—Image based installation; Cloning; Build to order
Landscapes
- Engineering & Computer Science (AREA)
- General Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Hardware Design (AREA)
- Physics & Mathematics (AREA)
- General Physics & Mathematics (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Computing Systems (AREA)
- Storage Device Security (AREA)
Abstract
The invention relates to a container mirror image security detection method, a terminal device and a storage medium, wherein the method comprises the following steps: s1: scanning the software package of the mirror image, classifying the scanned software package, and judging the type of the technology stack used by the software package; s2: according to the classification result of the software package, performing vulnerability detection on the software package through vulnerability detection rules corresponding to the classification result; s3: reading data of a software package management tool in the mirror image to acquire paths of all installation files related to the software package; s4: and according to a path set formed by paths of all installation files related to the software package, performing reverse filtering in the mirror image, finding out all files which do not belong to the path set, and performing vulnerability detection of a general vulnerability detection rule on all the found files. The invention solves the problem that the requirement of the actual safe use scene of the container cannot be met due to insufficient detection of the data in the mirror image by the mainstream container mirror image scanning software.
Description
Technical Field
The present invention relates to the field of container mirroring, and in particular, to a method, a terminal device, and a storage medium for detecting security of a container mirror.
Background
With the wide application of container technology, more and more software adopts a containerization deployment mode, and most of images used by the containers are derived from image warehouses of the internet, and the image warehouses do not guarantee the safety of the images. In this case, some insecure images are easily introduced, thereby threatening the security of the underlying system.
The Docker image mostly depends on different versions of operating system basic images, and all versions of software expose some bugs over time, but the images do not change immediately. Meanwhile, some individuals or organizations may make images containing specific software vulnerabilities for various purposes, and put them in public warehouses of the internet for downloading by others. At the same time, some images also attempt to mix malicious files or programs into a normally installed software package, thereby bypassing a pure vulnerability identification-based security detection mechanism. Therefore, how to comprehensively audit software in the mirror image is more detailed, and more comprehensive security risk information becomes a problem to be solved urgently.
Currently, mainstream container image scanning software mainly adopts to detect software in an image based on a database carried by a software package management tool, but the mainstream container image scanning software only can provide a software package name and a software version number and cannot provide more information about other information of the software package and non-software package related files in the image. The capacity of the container security system for early warning and protecting security problems in the mirror image is limited, so that the actual application effect of mainstream container mirror image scanning software is not ideal.
Disclosure of Invention
In order to solve the above problems, the present invention provides a container mirror image security detection method, a terminal device, and a storage medium, which are used to solve the problem that the requirement of an actual container security use scenario cannot be met due to insufficient detection of data in a mirror image by mainstream container mirror image scanning software.
The specific scheme is as follows:
a container mirror image security detection method comprises the following steps:
s1: scanning the software package of the mirror image, classifying the scanned software package, and judging the type of the technology stack used by the software package;
s2: according to the classification result of the software package, performing vulnerability detection on the software package through vulnerability detection rules corresponding to the classification result;
s3: reading data of a software package management tool in the mirror image to acquire paths of all installation files related to the software package;
s4: and according to a path set formed by paths of all installation files related to the software package, performing reverse filtering in the mirror image, finding out all files which do not belong to the path set, and performing vulnerability detection of a general vulnerability detection rule on all the found files.
Further, a linear model is adopted for classification when the software package is classified, and the adopted feature data comprises a file name and a file suffix.
Further, step S2 includes constructing a database for storing vulnerability detection rules corresponding to each type of software package.
Further, the path of the installation class file related to the software package is obtained by analyzing an internal database of the software package management tool.
Further, when the mirror images need to be scanned in batch, each layer of the first mirror image is scanned when the first mirror image is scanned, the scanning result is stored in the file database and serves as a cache, when other mirror images are scanned subsequently, whether the corresponding layer contains the scanning result or not is firstly searched from the cache, and if yes, the layer is not scanned any more.
A container mirror image security detection terminal device comprises a processor, a memory and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the computer program to realize the steps of the method of the embodiment of the invention.
A computer-readable storage medium, in which a computer program is stored which, when being executed by a processor, carries out the steps of the method as described above for embodiments of the invention.
By adopting the technical scheme, the invention can detect the loophole of the Docker image, unsafe configuration in software, configuration containing sensitive information in software, files installed in non-software, changed installation files and the like, and can predict and classify the application, technical stack and the like of the image, thereby comprehensively discovering various safety risks in the Docker image, facilitating the safety reinforcement in use in time, improving the safety protection level of the Docker image and meeting the safety construction requirements of policy and regulations such as grade protection, industrial specifications and the like.
Drawings
Fig. 1 is a flowchart illustrating a first embodiment of the present invention.
Detailed Description
To further illustrate the various embodiments, the invention provides the accompanying drawings. The accompanying drawings, which are incorporated in and constitute a part of this disclosure, illustrate embodiments of the invention and, together with the description, serve to explain the principles of the embodiments. Those skilled in the art will appreciate still other possible embodiments and advantages of the present invention with reference to these figures.
The invention will now be further described with reference to the accompanying drawings and detailed description.
The first embodiment is as follows:
the embodiment of the invention provides a container mirror image security detection method, as shown in fig. 1, the method comprises the following steps:
s1: and scanning the software package of the mirror image, classifying the scanned software package, and judging the type of the technology stack used by the software package.
When the software package is classified, the software package is classified according to the characteristics of the file name, the file suffix and the like of each file corresponding to the software package, the classification result is the type of the technology stack to which the software package belongs, such as the type with java as the main service, the type with php as the main service and the like, and different vulnerability detection rules are preset in different types. By means of targeted vulnerability detection, potential safety hazards such as sensitive information (password leakage, WEB source code not confused), viruses, trojans, webpage backdoors and the like which cannot be detected by conventional vulnerability detection can be detected.
The logical classification algorithm adopted in the classification in this embodiment is a linear model, and can be represented as:
y=w*x+b
wherein w is a weight parameter obtained by training; x is the characteristic data of the sample; b is an offset, indicating what the probability is in general.
The logic classification model predicts a sample and generally comprises three steps:
1. calculating a linear function (y ═ w x + b)
2. Conversion from score to probability (Sigmoid or Softmax)
3. Conversion from probability to label
Training is carried out through a large amount of collected sample data of different types, and the purpose of training is to reversely deduce reasonable weight w and bias b by using methods such as gradient descent and the like according to the characteristic data of input samples, so that the output prediction result is more accurate.
S2: and according to the classification result of the software package, performing vulnerability detection on the software package according to the vulnerability detection rule corresponding to the classification result.
In order to conveniently search the corresponding vulnerability detection rules, a vulnerability detection rule database is also constructed in the embodiment and used for storing the vulnerability detection rules corresponding to each type of software package.
S3: and reading the data of the software package management tool in the mirror image to acquire the paths of all installation class files related to the software package.
In this embodiment, the path of the installation class file associated with the software package is obtained by parsing an internal database of the software package management tool.
S4: and according to a path set formed by paths of all installation files related to the software package, performing reverse filtering in the mirror image, finding out all files which do not belong to the path set, and performing vulnerability detection of a general vulnerability detection rule on all the found files.
By filtering backwards, it can be ensured that every file in the image is detected.
When the path of the installation type file is obtained, because the container mirror image is formed by adopting a hierarchical combined file system, a new layer is formed when the installation and deletion operations of the software package are executed once. The latest software package database is stored in the latest layer, and the latest layer containing the software package database can be directly searched to scan the related software list.
Nevertheless, because the container mirror images are very different, the number of layers to be scanned in practical applications is still very large, and if the scanning of the full mirror image is performed each time, a large performance burden is imposed on the tool. Considering that the layers of the container mirror image can be reused, most mirror images are constructed by relying on a basic mirror image, most of the mirror images contain some layers to be reused or have certain mutual dependency relationship. Therefore, in the embodiment, when a plurality of mirror images are scanned, a greedy scanning strategy is adopted to scan each layer of the first mirror image when the first mirror image is scanned, the scanning result is stored in the file database and serves as a cache, when other mirror images are scanned subsequently, whether the corresponding layer contains the scanning result is searched from the cache, if so, the layer is not scanned, and the efficiency of batch scanning of the container mirror images is greatly improved.
The embodiment of the invention can detect the loophole of the Docker image, unsafe configuration in software, configuration containing sensitive information in the software, files installed in non-software, and changed installation files, and can predict and classify the purpose, technical stack and the like of the image, thereby comprehensively discovering various security risks in the Docker image, facilitating the security reinforcement in use in time, improving the security protection level of the Docker image, and meeting the security construction requirements of policy and regulations such as level protection, industry specifications and the like. The embodiment provides rapid and complete technical support for the user and powerful guarantee for safe and reliable sustainable operation of the information system.
Example two:
the invention further provides a container mirror image security detection terminal device, which comprises a memory, a processor and a computer program stored in the memory and capable of running on the processor, wherein the processor executes the computer program to implement the steps in the above method embodiment of the first embodiment of the invention.
Further, as an executable scheme, the container mirror image security detection terminal device may be a computing device such as a desktop computer, a notebook, a palmtop computer, and a cloud server. The container image security detection terminal device can include, but is not limited to, a processor and a memory. It is understood by those skilled in the art that the above-mentioned composition structure of the container mirror security detection terminal device is only an example of the container mirror security detection terminal device, and does not constitute a limitation on the container mirror security detection terminal device, and may include more or less components than the above, or combine some components, or different components, for example, the container mirror security detection terminal device may further include an input/output device, a network access device, a bus, and the like, which is not limited in this embodiment of the present invention.
Further, as an executable solution, the Processor may be a Central Processing Unit (CPU), other general purpose Processor, a Digital Signal Processor (DSP), an Application Specific Integrated Circuit (ASIC), a Field Programmable Gate Array (FPGA) or other Programmable logic device, a discrete Gate or transistor logic device, a discrete hardware component, and the like. The general-purpose processor may be a microprocessor or the processor may be any conventional processor, etc., and the processor is a control center of the container mirror image security inspection terminal device and connects various parts of the whole container mirror image security inspection terminal device by using various interfaces and lines.
The memory may be configured to store the computer program and/or the module, and the processor may implement various functions of the container image security inspection terminal device by executing or executing the computer program and/or the module stored in the memory and calling data stored in the memory. The memory can mainly comprise a program storage area and a data storage area, wherein the program storage area can store an operating system and an application program required by at least one function; the storage data area may store data created according to the use of the mobile phone, and the like. In addition, the memory may include high speed random access memory, and may also include non-volatile memory, such as a hard disk, a memory, a plug-in hard disk, a Smart Media Card (SMC), a Secure Digital (SD) Card, a Flash memory Card (Flash Card), at least one magnetic disk storage device, a Flash memory device, or other volatile solid state storage device.
The invention also provides a computer-readable storage medium, in which a computer program is stored, which, when being executed by a processor, carries out the steps of the above-mentioned method of an embodiment of the invention.
The integrated module/unit of the container image security detection terminal device can be stored in a computer readable storage medium if it is implemented in the form of a software functional unit and sold or used as a stand-alone product. Based on such understanding, all or part of the flow of the method according to the embodiments of the present invention may also be implemented by a computer program, which may be stored in a computer-readable storage medium, and when the computer program is executed by a processor, the steps of the method embodiments may be implemented. Wherein the computer program comprises computer program code, which may be in the form of source code, object code, an executable file or some intermediate form, etc. The computer-readable medium may include: any entity or device capable of carrying the computer program code, recording medium, usb disk, removable hard disk, magnetic disk, optical disk, computer Memory, Read-Only Memory (ROM), Random Access Memory (RAM), software distribution medium, and the like.
While the invention has been particularly shown and described with reference to a preferred embodiment, it will be understood by those skilled in the art that various changes in form and detail may be made therein without departing from the spirit and scope of the invention as defined by the appended claims.
Claims (7)
1. A container mirror image security detection method is characterized by comprising the following steps:
s1: scanning the software package of the mirror image, classifying the scanned software package, judging the type of a technical stack used by the software package, classifying the software package according to the characteristics of each file corresponding to the software package, wherein the characteristics of the file comprise a file name and a file suffix;
s2: different vulnerability detection rules are preset for different types of software packages, and vulnerability detection is carried out on the software packages according to classification results of the software packages and the vulnerability detection rules corresponding to the classification results;
s3: reading data of a software package management tool in the mirror image to acquire paths of all installation files related to the software package;
s4: and according to a path set formed by paths of all installation files related to the software package, performing reverse filtering in the mirror image, finding out all files which do not belong to the path set, and performing vulnerability detection of a general vulnerability detection rule on all the found files.
2. The container image security detection method of claim 1, wherein: and when the software package is classified, a linear model is adopted for classification.
3. The container image security detection method of claim 1, wherein: step S2 further includes constructing a database for storing vulnerability detection rules corresponding to each type of software package.
4. The container image security detection method of claim 1, wherein: the path of the installation class file associated with the software package is obtained by parsing an internal database of the software package management tool.
5. The container image security detection method of claim 1, wherein: when the mirror images need to be scanned in batch, each layer of the first mirror image is scanned when the first mirror image is scanned, the scanning result is stored in the file database and serves as a cache, when other mirror images are scanned subsequently, whether the corresponding layer contains the scanning result or not is firstly searched from the cache, and if yes, the layer is not scanned any more.
6. The utility model provides a container mirror image safety inspection terminal equipment which characterized in that: comprising a processor, a memory and a computer program stored in the memory and running on the processor, the processor implementing the steps of the method according to any of claims 1 to 5 when executing the computer program.
7. A computer-readable storage medium storing a computer program, characterized in that: the computer program when executed by a processor implementing the steps of the method as claimed in any one of claims 1 to 5.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110397750.7A CN113177204B (en) | 2021-04-14 | 2021-04-14 | Container mirror image security detection method, terminal device and storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110397750.7A CN113177204B (en) | 2021-04-14 | 2021-04-14 | Container mirror image security detection method, terminal device and storage medium |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN113177204A CN113177204A (en) | 2021-07-27 |
| CN113177204B true CN113177204B (en) | 2022-06-14 |
Family
ID=76923584
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110397750.7A Active CN113177204B (en) | 2021-04-14 | 2021-04-14 | Container mirror image security detection method, terminal device and storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113177204B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113656809A (en) * | 2021-09-01 | 2021-11-16 | 京东科技信息技术有限公司 | Mirror image security detection method, device, equipment and medium |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108920250A (en) * | 2018-06-05 | 2018-11-30 | 麒麟合盛网络技术股份有限公司 | The method and device of Application Container |
| CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
Family Cites Families (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US10223534B2 (en) * | 2015-10-15 | 2019-03-05 | Twistlock, Ltd. | Static detection of vulnerabilities in base images of software containers |
-
2021
- 2021-04-14 CN CN202110397750.7A patent/CN113177204B/en active Active
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN108920250A (en) * | 2018-06-05 | 2018-11-30 | 麒麟合盛网络技术股份有限公司 | The method and device of Application Container |
| CN111917691A (en) * | 2019-05-10 | 2020-11-10 | 张长河 | WEB dynamic self-adaptive defense system and method based on false response |
Non-Patent Citations (1)
| Title |
|---|
| 吕彬 等.Docker容器安全性分析与增强方案研究.《保密科学技术》.2021,15-22. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN113177204A (en) | 2021-07-27 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US10972493B2 (en) | Automatically grouping malware based on artifacts | |
| US11704431B2 (en) | Data security classification sampling and labeling | |
| Scalas et al. | On the effectiveness of system API-related information for Android ransomware detection | |
| Narayanan et al. | A multi-view context-aware approach to Android malware detection and malicious code localization | |
| Razgallah et al. | A survey of malware detection in Android apps: Recommendations and perspectives for future research | |
| US9998484B1 (en) | Classifying potentially malicious and benign software modules through similarity analysis | |
| US10200390B2 (en) | Automatically determining whether malware samples are similar | |
| Baldwin et al. | Leveraging support vector machine for opcode density based detection of crypto-ransomware | |
| Arif et al. | Android mobile malware detection using fuzzy AHP | |
| US8806641B1 (en) | Systems and methods for detecting malware variants | |
| US9626511B2 (en) | Agentless enforcement of application management through virtualized block I/O redirection | |
| US9436463B2 (en) | System and method for checking open source usage | |
| RU2573265C2 (en) | Method of detecting false positive results of scanning files for malware | |
| Palumbo et al. | A pragmatic android malware detection procedure | |
| US20220150282A1 (en) | Systems and methods of information security monitoring with third-party indicators of compromise | |
| Atzeni et al. | Countering android malware: A scalable semi-supervised approach for family-signature generation | |
| Olukoya et al. | Security-oriented view of app behaviour using textual descriptions and user-granted permission requests | |
| Gómez‐Hernández et al. | Inhibiting crypto‐ransomware on windows platforms through a honeyfile‐based approach with R‐Locker | |
| Goyal et al. | SafeDroid: a distributed malware detection service for android | |
| CN113177204B (en) | Container mirror image security detection method, terminal device and storage medium | |
| Rafiq et al. | AndroMalPack: enhancing the ML-based malware classification by detection and removal of repacked apps for Android systems | |
| Anumula et al. | Adware and spyware detection using classification and association | |
| RU2747514C2 (en) | System and method for categorizing application on computing device | |
| US9842219B1 (en) | Systems and methods for curating file clusters for security analyses | |
| CN116048554A (en) | Container mirror image security scanning method and device, electronic equipment and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |