CN113419816A - Container mirror image dynamic risk detection method - Google Patents
Container mirror image dynamic risk detection method Download PDFInfo
- Publication number
- CN113419816A CN113419816A CN202110668576.5A CN202110668576A CN113419816A CN 113419816 A CN113419816 A CN 113419816A CN 202110668576 A CN202110668576 A CN 202110668576A CN 113419816 A CN113419816 A CN 113419816A
- Authority
- CN
- China
- Prior art keywords
- container
- mirror image
- command
- software
- detection method
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/55—Detecting local intrusion or implementing counter-measures
- G06F21/56—Computer malware detection or handling, e.g. anti-virus arrangements
- G06F21/566—Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/57—Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities
- G06F21/577—Assessing vulnerabilities and evaluating computer system security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
Landscapes
- Engineering & Computer Science (AREA)
- Software Systems (AREA)
- Theoretical Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- General Physics & Mathematics (AREA)
- Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Virology (AREA)
- Debugging And Monitoring (AREA)
Abstract
The invention provides a container mirror image dynamic risk detection method, which comprises the following steps: downloading the mirror image in the public mirror image warehouse to the local by using a dockerpull command; running a container up using the downloaded image using a dockerrun command; a detection engine enters the container through a docker exec command, and analyzes a process started by the container and a library file opened by the process by using a system interface lsof provided by linux; the detection engine scans service ports (if the service ports exist) monitored by the container, and detects whether common safety problems of web services, database services and other services exist; stopping and removing the container that was temporarily activated. The invention has the beneficial effects that: by carrying out security detection on the running container, the security problem of the service in the actual running of the mirror image can be detected.
Description
Technical Field
The invention relates to the technical field of computer safe operation, in particular to a container mirror image dynamic risk detection method.
Background
The mirror image is a container operation basic file system, and a plurality of operation dependent software and a main program of the container operation are installed in the mirror image. The docker authority provides a maximum public mirror image warehouse for storing any manufactured mirror image for the user to pull and operate. However, the security of software in the mirror image uploaded to the mirror image warehouse is not detected by the docker official, so that a large number of mirror images with high-risk holes or malicious trojan backdoors exist in the warehouse at present, and the security of user assets can be affected after the high-risk mirror images are pulled and used by an unknown user. In order to solve the problem, security detection needs to be performed on all images which are publicly downloaded from the internet, so that risks caused by the use of high-risk images are avoided. The invention realizes a dynamic risk detection method of container mirror image to detect the risk in the mirror image.
The existing technology for detecting the mirror image risk comprises virus Trojan file scanning and software bug scanning, and the implementation mode is static file scanning, namely, the mirror image to be detected is downloaded firstly, then, an antivirus engine is used for scanning all files in the mirror image one by one to detect the virus Trojan, and all installed software packages and versions in the mirror image are scanned to associate the corresponding existing bugs. However, the existing static file scanning method cannot detect the security problem of software in the actual operation of the mirror image, and the detection result is not necessarily valuable.
Disclosure of Invention
The invention aims to overcome the defects of the prior art and provides a container mirror image dynamic risk detection method.
The method solves the problems that the existing static file scanning mode cannot detect the safety problem of software in actual operation of the mirror image and the detection result is not necessarily valuable.
The invention is realized by the following technical scheme:
the invention provides a container mirror image dynamic risk detection method, which is characterized by comprising the following steps:
s01, downloading the mirror image in the public mirror image warehouse to the local by using a dockerpull command;
s02, using a dockerrun command to operate a container using the downloaded image;
s03, enabling the detection engine to enter the container through a docker exec command, and analyzing the process started by the container and the library file opened by the container by using a system interface lsof provided by linux;
s04, the detection engine scans the service port (if existing) monitored by the container, and detects whether the security problems of common web service, database service and other services exist;
s05, stopping and removing the container which is temporarily started.
Preferably, according to the library file opened in S03, the software package management command is used to check back the software information to which the opened library file belongs, so that all the software actually used by the current container can be acquired.
Preferably, the software bugs actually related to the container mirror image can be obtained by associating all the actually used software with the bug base.
The invention has the beneficial effects that: by carrying out security detection on the running container, the security problem of the service in the actual running of the mirror image can be detected.
Drawings
Fig. 1 is a schematic step diagram of a container mirroring dynamic risk detection method according to an embodiment of the present invention.
Detailed Description
The following detailed description of specific embodiments of the invention refers to the accompanying drawings. It should be understood that the detailed description and specific examples, while indicating the present invention, are given by way of illustration and explanation only, not limitation.
Firstly, an application scenario of the container mirror image dynamic risk detection method is explained for convenience of understanding, and the container mirror image dynamic risk detection method provided by the embodiment of the application is used for providing a method capable of carrying out dynamic risk monitoring on a container mirror image; the existing technologies for detecting the mirror image risk include virus trojan file scanning and software vulnerability scanning, and the implementation mode is static file scanning, but the existing static file scanning mode cannot detect the safety problem of software in actual operation of the mirror image, and the detection result is not necessarily valuable. A container mirroring dynamic risk detection method provided in an embodiment of the present application is described below with reference to the accompanying drawings.
Referring to fig. 1, fig. 1 is a schematic step diagram of a container mirroring dynamic risk detection method according to an embodiment of the present invention. As can be seen from fig. 1, the present invention provides a container mirroring dynamic risk detection method, which includes the following steps: s01, downloading the mirror image in the public mirror image warehouse to the local by using a docker pull command; s02, then using a docker run command to run the container using the downloaded mirror image; s03, a detection engine enters the container through a docker exec command, a system interface lsof provided by linux is used for analyzing the process started by the container and the library files opened by the container, the library files exist, software information to which the library files belong is checked back by using a software package management command such as rpm, all software actually used by the current container can be obtained, and the software and a leak library are associated to obtain the software bugs actually related to the mirror image of the container; s04, the detection engine scans the service port monitored by the container (if the service port exists), and detects whether the security problems of common web service, database service and other services exist; s05, stopping and removing the container which is temporarily started.
The invention of the present application only covers the detection process and method, and does not newly invent a virus scanning engine or a service vulnerability scanning engine, and the detection engine still uses the existing technology. By the detection method, the vulnerability of the exposed service during mirror image operation can be detected, which cannot be detected by common static scanning; meanwhile, the software actually used by the mirror image and the bug information thereof can be obtained, other unused software bug information in the mirror image cannot be reported, and the effect of more accurate detection can be achieved.
All the components in the invention of the present application are the components commonly used in the prior art.
In the embodiments, the container mirror image dynamic risk detection method provided by the embodiment of the present application can detect a vulnerability of an exposed service during mirror image operation; meanwhile, the software actually used by the mirror image and the bug information thereof can be obtained, other unused software bug information in the mirror image cannot be reported, and the effect of more accurate detection can be achieved.
The above-described embodiments are merely illustrative of the preferred embodiments of the present invention and do not limit the spirit and scope of the present invention. Various modifications and improvements of the technical solutions of the present invention may be made by those skilled in the art without departing from the design concept of the present invention, and the technical contents of the present invention are all described in the claims.
Claims (3)
1. A container mirror image dynamic risk detection method is characterized by comprising the following steps:
s01, downloading the mirror image in the public mirror image warehouse to the local by using a dockerpull command;
s02, using a dockerrun command to operate a container using the downloaded image;
s03, enabling the detection engine to enter the container through a docker exec command, and analyzing the process started by the container and the library file opened by the container by using a system interface lsof provided by linux;
s04, the detection engine scans the service port (if existing) monitored by the container, and detects whether the security problems of common web service, database service and other services exist;
s05, stopping and removing the container which is temporarily started.
2. The method for dynamically detecting risk of container mirroring according to claim 1, wherein according to the library file opened in S03, all software actually used by the current container can be obtained by using a software package management command to check back software information to which the opened library file belongs.
3. The method according to claim 2, wherein associating all software and vulnerability libraries actually used results in a software vulnerability actually associated with the container image.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110668576.5A CN113419816A (en) | 2021-06-16 | 2021-06-16 | Container mirror image dynamic risk detection method |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110668576.5A CN113419816A (en) | 2021-06-16 | 2021-06-16 | Container mirror image dynamic risk detection method |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113419816A true CN113419816A (en) | 2021-09-21 |
Family
ID=77788748
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110668576.5A Pending CN113419816A (en) | 2021-06-16 | 2021-06-16 | Container mirror image dynamic risk detection method |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113419816A (en) |
Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
| CN109858239A (en) * | 2019-01-16 | 2019-06-07 | 四川大学 | CPU loophole attacker detection method in the container that a kind of sound state combines |
| CN110427322A (en) * | 2019-07-29 | 2019-11-08 | 国家电网有限公司 | A kind of dynamic security penetration test method for operation system container mirror image, apparatus and system |
| CN111221625A (en) * | 2019-12-31 | 2020-06-02 | 北京健康之家科技有限公司 | File detection method, device and equipment |
| CN112860484A (en) * | 2021-01-29 | 2021-05-28 | 深信服科技股份有限公司 | Container runtime abnormal behavior detection and model training method and related device |
| CN112882797A (en) * | 2021-02-26 | 2021-06-01 | 南京邮电大学 | Container safety detection method based on machine learning |
| KR20210063677A (en) * | 2019-11-25 | 2021-06-02 | 세종대학교산학협력단 | Apparatus and method for diagnosing docker image vulnerability |
-
2021
- 2021-06-16 CN CN202110668576.5A patent/CN113419816A/en active Pending
Patent Citations (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN109828824A (en) * | 2018-12-29 | 2019-05-31 | 东软集团股份有限公司 | Safety detecting method, device, storage medium and the electronic equipment of mirror image |
| CN109858239A (en) * | 2019-01-16 | 2019-06-07 | 四川大学 | CPU loophole attacker detection method in the container that a kind of sound state combines |
| CN110427322A (en) * | 2019-07-29 | 2019-11-08 | 国家电网有限公司 | A kind of dynamic security penetration test method for operation system container mirror image, apparatus and system |
| KR20210063677A (en) * | 2019-11-25 | 2021-06-02 | 세종대학교산학협력단 | Apparatus and method for diagnosing docker image vulnerability |
| CN111221625A (en) * | 2019-12-31 | 2020-06-02 | 北京健康之家科技有限公司 | File detection method, device and equipment |
| CN112860484A (en) * | 2021-01-29 | 2021-05-28 | 深信服科技股份有限公司 | Container runtime abnormal behavior detection and model training method and related device |
| CN112882797A (en) * | 2021-02-26 | 2021-06-01 | 南京邮电大学 | Container safety detection method based on machine learning |
Non-Patent Citations (5)
| Title |
|---|
| KELLY BRADY: "Docker Container Security in Cloud Computing", 《 2020 10TH ANNUAL COMPUTING AND COMMUNICATION WORKSHOP AND CONFERENCE (CCWC)》 * |
| 李佳曦: "基于容器技术的云化平台安全风险与应对分析", 《信息通信技术》 * |
| 袁波: "云应用系统开发技术", 《云应用系统开发技术》 * |
| 许云峰: "docker安装", 《大数据技术及行业应用》 * |
| 高俊峰: "国产Linux基础应用", 《国产LINUX基础应用》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US8898775B2 (en) | Method and apparatus for detecting the malicious behavior of computer program | |
| US10581879B1 (en) | Enhanced malware detection for generated objects | |
| CN109583202B (en) | System and method for detecting malicious code in address space of process | |
| CN103559446B (en) | Dynamic virus detection method and device for equipment based on Android system | |
| AU2006235058B2 (en) | System and method for foreign code detection | |
| KR101647487B1 (en) | Analysis system and method for patch file | |
| US11176247B2 (en) | System and method for container assessment using sandboxing | |
| US8745743B2 (en) | Anti-virus trusted files database | |
| US8763128B2 (en) | Apparatus and method for detecting malicious files | |
| CN103065092A (en) | Method for intercepting operating of suspicious programs | |
| Cui et al. | Tracking rootkit footprints with a practical memory analysis system | |
| CN110929264B (en) | Vulnerability detection method and device, electronic equipment and readable storage medium | |
| US20080016572A1 (en) | Malicious software detection via memory analysis | |
| Schmidt et al. | Malware detection and kernel rootkit prevention in cloud computing environments | |
| CN107357908B (en) | Method and device for detecting system file of virtual machine | |
| RU2724790C1 (en) | System and method of generating log when executing file with vulnerabilities in virtual machine | |
| WO2004075060A1 (en) | Computer virus detection device | |
| US20190138715A1 (en) | Post sandbox methods and systems for detecting and blocking zero-day exploits via api call validation | |
| GB2510701A (en) | Detecting malware code injection by determining whether return address on stack thread points to suspicious memory area | |
| KR20110087826A (en) | Method for detecting malware using vitual machine | |
| CN111859381A (en) | File detection method, device, equipment and medium | |
| CN113419816A (en) | Container mirror image dynamic risk detection method | |
| CN112685744B (en) | Method and device for detecting software bugs by using stack-related registers | |
| US11914711B2 (en) | Systems and methods for automatically generating malware countermeasures | |
| KR101053470B1 (en) | Apparatus and method to prevent harmful traffic control and hacking |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20210921 |