CN113595995A - Zero-trust security protection method and system for container - Google Patents
Zero-trust security protection method and system for container Download PDFInfo
- Publication number
- CN113595995A CN113595995A CN202110786066.8A CN202110786066A CN113595995A CN 113595995 A CN113595995 A CN 113595995A CN 202110786066 A CN202110786066 A CN 202110786066A CN 113595995 A CN113595995 A CN 113595995A
- Authority
- CN
- China
- Prior art keywords
- container
- value
- entropy
- attribute
- period
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 26
- 238000013507 mapping Methods 0.000 claims description 12
- 230000003287 optical effect Effects 0.000 claims description 10
- 239000000284 extract Substances 0.000 claims description 4
- 230000000873 masking effect Effects 0.000 claims 1
- 238000011156 evaluation Methods 0.000 abstract description 3
- 230000002159 abnormal effect Effects 0.000 description 1
- 238000004364 calculation method Methods 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000010586 diagram Methods 0.000 description 1
- 238000000605 extraction Methods 0.000 description 1
- 238000012423 maintenance Methods 0.000 description 1
- 238000012545 processing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Alarm Systems (AREA)
Abstract
The invention relates to a zero trust safety protection method and a system for a container, wherein the method comprises the following steps: acquiring inlet flow of a container to obtain a characteristic value of an attribute of the inlet flow in a period; counting the frequency distribution of the characteristic values of the attributes appearing in the period, thereby calculating the entropy values of the attributes in the period; calculating an average entropy value and an entropy value variance according to historical entropy values of the attributes in different periods so as to obtain a reasonable threshold; and issuing a warning that the container is attacked if the entropy value of at least one of the attributes within the period exceeds a corresponding reasonable threshold. The method and the system can realize the continuous evaluation of the safety state of the container, and perform dynamic access control by taking real-time data as a center.
Description
Technical Field
The embodiment of the invention relates to a container safety protection method and system, in particular to a container zero trust safety protection method and system.
Background
With the continuous increase of advanced security threats, the traditional thought mainly based on boundary protection is no longer suitable for the current IT environment change, and the security state of the container needs to be continuously protected.
At present, the security protection of a container is mainly based on boundary protection, that is, security protection equipment is deployed at the network boundary between the whole container cluster and an external network to perform security attack detection and processing. Traditional security protection methods grant fully trusted rights to systems within the network boundary, and as attack measures are upgraded to bypass boundary security devices, more and more events are launched through the inside of the network.
Based on this, a container zero-trust security protection method and system are needed, which can determine the security condition of the container according to the random degree of each feature of the inlet flow of the key container, thereby realizing the continuous evaluation of the security state of the container, and performing dynamic access control by taking real-time data as a center.
Disclosure of Invention
The invention provides a zero trust security protection method and a zero trust security protection system for a container, which are used for solving at least one of the technical problems.
According to an aspect of the present invention, a container zero trust security protection method is provided, which may include the following steps:
acquiring inlet flow of the container, and obtaining a characteristic value of the attribute of the inlet flow in a period;
counting the frequency distribution of the characteristic values of the attributes appearing in the period, thereby calculating the entropy value of the attributes in the period;
the average entropy and the variance of the entropy can be calculated according to the historical entropy of the attribute in different periods, so that a reasonable threshold can be obtained; and
in case the entropy value of at least one of the attributes within a period exceeds a respective reasonable threshold, a warning may be issued that the container is attacked.
Optionally, the number of times that the feature value of the attribute appears in the period may be counted, and a feature number mapping table of the attribute is obtained in a summary manner.
Alternatively, the frequency of occurrence of the feature value of the attribute in the period may be calculated, and the number in the feature number mapping table may be replaced with the frequency, so that the feature frequency mapping table may be obtained.
Alternatively, an entropy value of the attribute in the period may be calculated according to the characteristic frequency mapping table, and the entropy value may be calculated by the following formula:
wherein, PiCan represent the ith attribute, H (P)i) Entropy values, r, which can represent the ith propertyjMay represent the frequency of occurrence of the jth eigenvalue of the ith attribute in the period, n may be the number of eigenvalues of the ith attribute in the period, and i, j, and n are all positive integers different from zero.
Alternatively, the reasonable threshold may be in a range above the value of the mean entropy minus the variance of the entropy and below the value of the mean entropy plus the variance of the entropy.
Alternatively, after issuing the alert, in the event that a container is confirmed to be attacked, the attacked container may be masked and the ingress traffic may be loaded into other like containers.
Alternatively, the destination IP address of the ingress traffic may be destined for the container.
Optionally, the attributes may include a source IP address, a source port number, and a destination port number of the ingress traffic.
According to a second aspect of the present invention, there is provided a container zero trust security system, which may include: the system comprises a host, a network link, an optical splitter, a traffic resolver and a container, wherein the inlet traffic can flow from the host to the container through the network link, the optical splitter can be deployed on the network link, the optical splitter can be configured to copy the traffic from the host into the traffic resolver, the traffic resolver can be configured to extract the inlet traffic with the container as a destination according to a destination IP address of the traffic, extract an attribute of the inlet traffic, calculate an entropy value and a reasonable threshold value of the attribute, and judge whether the entropy value exceeds the reasonable threshold value.
Compared with the prior art, the container zero trust safety protection method and the system thereof can judge the safety condition of the container according to the random degree of each characteristic of the inlet flow of the key container. Therefore, the continuous evaluation of the safety state of the container can be realized, and dynamic access control is performed by taking real-time data as a center.
Drawings
Fig. 1 is a flowchart of a container zero trust security protection method according to an embodiment of the present invention.
Fig. 2 is a schematic diagram of a container zero-trust security protection system according to an embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the embodiments and specific examples of the present invention are described in detail below with reference to the accompanying drawings. It should be understood that the embodiments and specific examples described herein are intended only to illustrate and explain the present invention and are not intended to limit the present invention.
Zero trust safety protection method for container
Referring to fig. 1, a container zero trust security protection method according to an embodiment of the present invention mainly includes the following steps.
S1: acquiring inlet flow of a container to obtain a characteristic value of an attribute of the inlet flow in a period;
s2: counting the frequency distribution of the characteristic values of the attributes appearing in the period, thereby calculating the entropy values of the attributes in the period;
s3: calculating an average entropy value and an entropy value variance according to historical entropy values of the attributes in different periods so as to obtain a reasonable threshold; and
s4: in case the entropy value of at least one of the attributes within a period exceeds a respective reasonable threshold, a warning is issued that the container is attacked.
A zero trust security method for containers according to an embodiment of the present invention will be described in further detail below by way of example with reference to fig. 1 and 2.
An optical splitter 3 is deployed on a network link 2 of a host 1 where a container 5 (preferably a key container) is located, network traffic is copied into a traffic resolver 4, and the traffic resolver 4 extracts ingress traffic (ingress traffic packet) destined to the container 5 according to a destination IP address of a traffic packet of the network traffic (that is, the destination IP address of the ingress traffic is destined to the container 5), and performs attribute extraction.
And extracting the attributes of the source IP address, the source port number and the destination port number of the inlet traffic according to a fixed period. An attribute vector V ═ p is formed for each ingress flow (fetch flow)1,p2,p3In which p is1、p2、p3The 1 st attribute, the 2 nd attribute and the 3 rd attribute respectively represent the ingress traffic, namely, the three attributes of the source IP address, the source port number and the destination port number.
In each (fixed) period, a plurality of specific characteristic values appear in the three attributes respectively, and the jth characteristic value of the ith attribute is recorded as
E.g. source port number p2Possible specific eigenvalues of 21, 22, 3309, 80, etc. will appear and be marked as eigenvectors
Then, counting the occurrence frequency (k) of each characteristic value in each period, summarizing to obtain a characteristic frequency (characteristic-frequency) mapping table of each attribute
Wherein k isnIndicating the number of occurrences of the nth feature value.
Calculating the frequency of each characteristic value according to the calculated frequency of each characteristic value
Sequentially calculating the times in the characteristic time mapping table into corresponding frequencies, and sequentially replacing the times in the characteristic time mapping table with the calculated frequencies to obtain a characteristic frequency (characteristic-frequency) mapping table
Calculating the entropy value of each attribute in the period, wherein the higher the entropy value is, the stronger the randomness of the attribute is, and the specific calculation method of the entropy value is shown as the following formula (1):
wherein r isjRepresenting an attribute PiThe frequency of occurrence of the characteristic values of (a). Wherein, PiDenotes the ith attribute, H (P)i) Entropy value, r, representing the ith attributejAnd n is the number of the characteristic values of the attribute in the period. It is to be understood that, herein, i, j, n, k, etc. are all positive integers other than zero.
Three entropy values H (P) are obtained for three attributes per cycle1),H(P2),H(P3)}。
In addition, average entropy values AH (P) of the respective attributes are calculated from the historical entropy values of the different periods (periods different from the above-described period for calculating entropy values)i) And the variance of entropy SH (P)i) Obtaining reasonable threshold value AH (P) of entropy value of each attributei)-SH(Pi),AH(Pi)+SH(Pi)]。
It should be understood that the historical entropy, i.e., the entropy calculated by equation (1) above for the attribute, was in the past cycle. It should also be understood that the mean entropy value AH (P)i) And the variance of entropy SH (P)i) Are all numerical values calculated according to a manner understood by those skilled in the art. It should also be understood that a reasonable threshold [ AH (P) ]i)-SH(Pi),AH(Pi)+SH(Pi)]At AH (P)i)-SH(Pi) A value of above and AH (P)i)+SH(Pi) Within a range below the value of (a).
When the entropy value of a certain attribute in a certain period is judged to exceed a reasonable threshold value (abnormal entropy occurs), (namely, under the condition that the entropy value of at least one of the attributes in the period exceeds a corresponding reasonable threshold value), the possibility that the key container is attacked is suspected to occur in the period, an alarm is sent to related operation and maintenance personnel, the flow and the container condition in the period are prompted to be further specifically analyzed, and after the container is found to be attacked, problem container shielding is carried out, and the flow is loaded to other containers of the same type.
It should be noted that, although three attributes of the source IP address, the source port number, and the destination port number are exemplified above, the attributes according to the present invention are not limited thereto, and the number of attributes is not limited to three.
The zero-trust safety protection method for the container can judge the safety condition of the container according to the random degree of each characteristic of the inlet flow of the key container.
Zero trust security protection system for container
The container zero trust security system is described below with reference to fig. 2.
The container zero-trust security protection system comprises a host 1, a network link 2, an optical splitter 3, a traffic resolver 4 and a container 5, wherein inlet traffic flows from the host 1 to the container 5 through the network link 2, the optical splitter 3 is deployed on the network link 2, the optical splitter 3 is configured to copy the traffic from the host 1 into the traffic resolver 4, the traffic resolver 4 is configured to extract the inlet traffic with the container 5 as a destination according to a destination IP address of the traffic, extract an attribute of the inlet traffic, calculate an entropy value and a reasonable threshold value of the attribute, and judge whether the entropy value exceeds the reasonable threshold value.
While the invention has been described with reference to specific embodiments, it will be understood by those skilled in the art that various changes in form and details may be made therein without departing from the spirit and scope of the invention as defined by the appended claims. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (9)
1. A zero trust security protection method for a container is characterized by comprising the following steps:
acquiring inlet flow of a container to obtain a characteristic value of an attribute of the inlet flow in a period;
counting a frequency distribution of occurrence of the characteristic values of the attributes in the period, thereby calculating entropy values of the attributes in the period;
calculating an average entropy value and an entropy value variance according to historical entropy values of the attributes in different periods so as to obtain a reasonable threshold; and
in case the entropy value of at least one of said attributes over said period exceeds a respective reasonable threshold, issuing a warning that said container is attacked.
2. The container zero trust security guard method of claim 1,
and counting the occurrence frequency of the characteristic value of the attribute in the period, and summarizing to obtain a characteristic frequency mapping table of the attribute.
3. The container zero-trust security protection method of claim 2, wherein a frequency of occurrence of the feature value of the attribute in the period is calculated, and the number in the feature number mapping table is replaced by the frequency, thereby obtaining a feature frequency mapping table.
4. The container zero trust security guard method of claim 3,
calculating an entropy value of the attribute over the period according to the characteristic frequency mapping table, the entropy value being calculated by:
wherein, PiDenotes the ith attribute, H (P)i) Entropy value, r, representing the ith attributejAnd the frequency of the j-th characteristic value of the ith attribute appearing in the period is represented, n is the number of the characteristic values of the ith attribute in the period, and i, j and n are all positive integers which are not zero.
5. The container zero trust security guard method of claim 4,
the reasonable threshold is in a range above the mean entropy value minus the value of the entropy variance and below the mean entropy value plus the value of the entropy variance.
6. The container zero trust security guard method of claim 5,
after issuing the warning, in the event that the container is confirmed to be attacked, masking the attacked container and loading the ingress traffic into other like containers.
7. The container zero trust security guard method of any one of claims 1 to 6,
the destination IP address of the ingress traffic is destined for the container.
8. The container zero trust security guard method of any one of claims 1 to 6, wherein the attributes comprise a source IP address, a source port number and a destination port number of the ingress traffic.
9. A container zero trust security protection system, characterized in that the container zero trust security protection system is used to execute the container zero trust security protection method according to any one of claims 1 to 8, the container zero-trust security protection system comprises a host, a network link, an optical splitter, a flow resolver and a container, the ingress traffic flows from the host to the container via the network link over which the optical splitter is disposed, and the optical splitter is configured to copy traffic from the host into the traffic resolver, the traffic resolver is configured to extract the ingress traffic destined to the container according to a destination IP address of the traffic, extract an attribute of the ingress traffic, calculate the entropy value and the reasonable threshold value of the attribute, and determine whether the entropy value exceeds the reasonable threshold value.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110786066.8A CN113595995A (en) | 2021-07-12 | 2021-07-12 | Zero-trust security protection method and system for container |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202110786066.8A CN113595995A (en) | 2021-07-12 | 2021-07-12 | Zero-trust security protection method and system for container |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN113595995A true CN113595995A (en) | 2021-11-02 |
Family
ID=78247002
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202110786066.8A Pending CN113595995A (en) | 2021-07-12 | 2021-07-12 | Zero-trust security protection method and system for container |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN113595995A (en) |
Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580173A (en) * | 2014-12-25 | 2015-04-29 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | SDN (self-defending network) anomaly detection and interception method and system |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN106357673A (en) * | 2016-10-19 | 2017-01-25 | 中国科学院信息工程研究所 | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
| CN110535888A (en) * | 2019-10-12 | 2019-12-03 | 广州西麦科技股份有限公司 | Port Scan Attacks detection method and relevant apparatus |
| CN111901324A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for flow identification based on sequence entropy |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
-
2021
- 2021-07-12 CN CN202110786066.8A patent/CN113595995A/en active Pending
Patent Citations (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104580173A (en) * | 2014-12-25 | 2015-04-29 | 广东顺德中山大学卡内基梅隆大学国际联合研究院 | SDN (self-defending network) anomaly detection and interception method and system |
| CN106357434A (en) * | 2016-08-30 | 2017-01-25 | 国家电网公司 | Detection method, based on entropy analysis, of traffic abnormity of smart grid communication network |
| CN106357673A (en) * | 2016-10-19 | 2017-01-25 | 中国科学院信息工程研究所 | DDoS attack detecting method and DDoS attack detecting system of multi-tenant cloud computing system |
| CN109951491A (en) * | 2019-03-28 | 2019-06-28 | 腾讯科技(深圳)有限公司 | Network attack detecting method, device, equipment and storage medium |
| CN110225037A (en) * | 2019-06-12 | 2019-09-10 | 广东工业大学 | A kind of ddos attack detection method and device |
| CN110535888A (en) * | 2019-10-12 | 2019-12-03 | 广州西麦科技股份有限公司 | Port Scan Attacks detection method and relevant apparatus |
| CN111901324A (en) * | 2020-07-20 | 2020-11-06 | 杭州安恒信息技术股份有限公司 | Method, device and storage medium for flow identification based on sequence entropy |
| CN111953679A (en) * | 2020-08-11 | 2020-11-17 | 中国人民解放军战略支援部队信息工程大学 | Intranet user behavior measurement method and network access control method based on zero trust |
Non-Patent Citations (1)
| Title |
|---|
| 吴云坤等: "一种基于零信任的SDN网络访问控制方法", 《信息网络安全》 * |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US9369484B1 (en) | Dynamic security hardening of security critical functions | |
| US10122748B1 (en) | Network protection system and threat correlation engine | |
| Nagarajan et al. | IADF-CPS: Intelligent anomaly detection framework towards cyber physical systems | |
| CN109344617A (en) | A kind of Internet of Things assets security portrait method and system | |
| CN106209817B (en) | Information network security based on big data and trust computing is from system of defense | |
| CN109889550B (en) | DDoS attack determination method and device | |
| CN114584405A (en) | Electric power terminal safety protection method and system | |
| KR20180080449A (en) | Method and apparatus for recognizing cyber threats using correlational analytics | |
| CN108833416A (en) | A kind of SCADA system Information Security Risk Assessment Methods and system | |
| CN107733834B (en) | Data leakage protection method and device | |
| US9961047B2 (en) | Network security management | |
| CN111786986B (en) | Numerical control system network intrusion prevention system and method | |
| CN109347807A (en) | A kind of differentiation intrusion prevention method based on degree of belief | |
| CN117544420B (en) | Fusion system safety management method and system based on data analysis | |
| JP2023031255A (en) | Anomaly detection | |
| CN110276195A (en) | A kind of smart machine intrusion detection method, equipment and storage medium | |
| CN111885019A (en) | Network security situation element extraction method based on attack and defense information comparison | |
| CN117319090A (en) | Intelligent network safety protection system | |
| CN107479518A (en) | A kind of method and system for automatically generating alarm association rule | |
| CN112600828B (en) | Attack detection and protection method and device for power control system based on data message | |
| CN111709021B (en) | Attack event identification method based on mass alarms and electronic device | |
| CN109743339A (en) | The network security monitoring method and device of electric power plant stand, computer equipment | |
| CN111784404A (en) | Abnormal asset identification method based on behavior variable prediction | |
| CN113595995A (en) | Zero-trust security protection method and system for container | |
| CN114884735B (en) | Multi-source data intelligent evaluation system based on security situation |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20211102 |
|
| RJ01 | Rejection of invention patent application after publication |