CN114168969A - Container safety protection method, container safety protection device, electronic apparatus, and medium - Google Patents

Container safety protection method, container safety protection device, electronic apparatus, and medium Download PDF

Info

Publication number
CN114168969A
CN114168969A CN202111495830.2A CN202111495830A CN114168969A CN 114168969 A CN114168969 A CN 114168969A CN 202111495830 A CN202111495830 A CN 202111495830A CN 114168969 A CN114168969 A CN 114168969A
Authority
CN
China
Prior art keywords
metadata
network
blocking control
blocking
node
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111495830.2A
Other languages
Chinese (zh)
Inventor
常青
谢文博
罗鹏
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
China Telecom Corp Ltd
Original Assignee
China Telecom Corp Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by China Telecom Corp Ltd filed Critical China Telecom Corp Ltd
Priority to CN202111495830.2A priority Critical patent/CN114168969A/en
Publication of CN114168969A publication Critical patent/CN114168969A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/57Certifying or maintaining trusted computer platforms, e.g. secure boots or power-downs, version controls, system software checks, secure updates or assessing vulnerabilities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Telephonic Communication Services (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The disclosure provides a container safety protection method, a container safety protection device, electronic equipment and a computer readable storage medium, and belongs to the technical field of computers. The method is applied to a central control node at the container end and comprises the following steps: acquiring network metadata and system calling metadata; acquiring a blocking rule, and generating a blocking control instruction according to the blocking rule, the network metadata and the system calling metadata; and sending the blocking control instruction to a blocking control node so that the blocking control node performs blocking control from a network side or a system side according to the blocking control instruction. The safety protection device can accurately and effectively protect the safety of the container.

Description

Container safety protection method, container safety protection device, electronic apparatus, and medium
Technical Field
The present disclosure relates to the field of computer technologies, and in particular, to a container security protection method, a container security protection apparatus, an electronic device, and a computer-readable storage medium.
Background
BPF (Berkeley Packet Filter, beckeley Packet Filter) technology is a technology that can be used in the field of Packet filtering, and with the development of Linux kernel, based on the extension of BPF and redesigned, the extended Berkeley Packet Filter (ebkeley Packet Filter) technology has been proposed, and due to the advancement and high efficiency of eBPF technology, it has been gradually applied to the field of system monitoring and network, and has been industrially practiced in performance monitoring and network traffic processing, for example, applying eBPF technology to security monitoring of container systems to guarantee the security problem of container systems. However, in the prior art, when performing security monitoring, data security of both the network side and the system side cannot be taken into consideration, and usually only post-processing cannot be performed, and pre-protection cannot be performed, that is, it is difficult to implement a real-time malicious behavior blocking function, so that security of the container system is still greatly threatened.
Therefore, how to timely and effectively ensure the safety of the container system is a problem to be solved urgently in the prior art.
It is to be noted that the information disclosed in the above background section is only for enhancement of understanding of the background of the present disclosure, and thus may include information that does not constitute prior art known to those of ordinary skill in the art.
Disclosure of Invention
The present disclosure provides a container security protection method, a container security protection apparatus, an electronic device, and a computer-readable storage medium, thereby overcoming, at least to some extent, the problem of the prior art that the container security protection is weak.
Additional features and advantages of the disclosure will be set forth in the detailed description which follows, or in part will be obvious from the description, or may be learned by practice of the disclosure.
According to one aspect of the present disclosure, there is provided a container security protection method applied to a central control node at a container end, including: acquiring network metadata and system calling metadata; acquiring a blocking rule, and generating a blocking control instruction according to the blocking rule, the network metadata and the system calling metadata; and sending the blocking control instruction to a blocking control node so that the blocking control node performs blocking control from a network side or a system side according to the blocking control instruction.
In an exemplary embodiment of the present disclosure, the obtaining network metadata and system call metadata includes: monitoring and collecting the network metadata at a network side by adopting an eBPF technology, and monitoring and collecting the system calling metadata at a system side; the network metadata comprises network link data or network flow data, and the system calling metadata comprises system process data or system calling parameter data.
In an exemplary embodiment of the present disclosure, the blocking control instruction includes a network blocking control instruction and a system call blocking control instruction, and the blocking control node includes a network side blocking control node and a system side blocking control node; the sending the blocking control instruction to a blocking control node so that the blocking control node performs blocking control from a network side or a system side according to the blocking control instruction includes: sending the network blocking control instruction to a network side blocking control node so that the network side blocking control node performs blocking control on the network through a first blocking mechanism; and sending the system call blocking control instruction to a system side blocking control node so that the system side blocking control node performs blocking control on the system call through a second blocking mechanism.
In an exemplary embodiment of the present disclosure, the method further comprises: defining priority information according to the system event and synchronizing the priority information to an information cache node; the information caching node is configured to cache the priority information, and the priority information is used to manage priorities of the network metadata and the system call metadata.
In an exemplary embodiment of the present disclosure, before obtaining the network metadata and the system call metadata, the method further comprises: respectively acquiring the network metadata from a network side through a data tracking node, acquiring the system calling metadata from a system side, and synchronizing the network metadata and the system calling metadata to a data collection node; enabling the data collection node to obtain priority information from the information cache node, adjusting the priority of the network metadata and the priority of the system call metadata according to the collected context information, and inputting the network metadata and the system call metadata into a data cache queue according to the priorities; the acquiring the network metadata and the system call metadata includes: and acquiring the network metadata and the system calling metadata from the data cache queue according to the priority.
In an exemplary embodiment of the present disclosure, the data buffer queue is a circular buffer queue.
In an exemplary embodiment of the present disclosure, the obtaining the blocking rule includes: obtaining the blocking rule from a rule engine node; and the rule engine node is used for defining malicious behavior data according to the behavior data acquired in advance and determining the blocking rule.
According to an aspect of the present disclosure, there is provided a container safety protection device applied to a central control node of a container end, including: the data acquisition module is used for acquiring network metadata and system calling metadata; the instruction generation module is used for acquiring a blocking rule and generating a blocking control instruction according to the blocking rule, the network flow metadata and the system call metadata; and the instruction sending module is used for sending the blocking control instruction to a blocking control node so that the blocking control node carries out blocking control from a network side or a system side according to the blocking control instruction.
In an exemplary embodiment of the present disclosure, the data acquisition module includes: the data acquisition unit is used for monitoring and acquiring the network metadata at a network side by adopting an eBPF technology and monitoring and acquiring the system calling metadata at a system side; the network metadata comprises network link data or network flow data, and the system calling metadata comprises system process data or system calling parameter data.
In an exemplary embodiment of the present disclosure, the blocking control instruction includes a network blocking control instruction and a system call blocking control instruction, and the blocking control node includes a network side blocking control node and a system side blocking control node; the instruction sending module comprises: the first blocking control unit is used for sending the network blocking control instruction to a network side blocking control node so that the network side blocking control node can carry out blocking control on the network through a first blocking mechanism; and the second blocking control unit is used for sending the system call blocking control instruction to a system side blocking control node so that the system side blocking control node performs blocking control on the system call through a second blocking mechanism.
In an exemplary embodiment of the present disclosure, the container security protection method further includes: the priority information synchronization module is used for defining priority information according to the system event and synchronizing the priority information to the information cache node; the information caching node is configured to cache the priority information, and the priority information is used to manage priorities of the network metadata and the system call metadata.
In an exemplary embodiment of the present disclosure, the container security protection method further includes: the data synchronization module is used for respectively acquiring the network metadata from a network side through a data tracking node, acquiring the system calling metadata from a system side, and synchronizing the network metadata and the system calling metadata to a data collection node; the priority adjusting module is used for enabling the data collecting node to obtain priority information from the information cache node, adjusting the priority of the network metadata and the priority of the system calling metadata according to the collected context information, and inputting the network metadata and the system calling metadata into a data cache queue according to the priorities; and the data acquisition module is used for acquiring the network metadata and the system call metadata from the data cache queue according to the priority.
In an exemplary embodiment of the present disclosure, the data buffer queue is a circular buffer queue.
In an exemplary embodiment of the present disclosure, the instruction generating module includes: a blocking rule obtaining unit, configured to obtain the blocking rule from a rule engine node; and the rule engine node is used for defining malicious behavior data according to the behavior data acquired in advance and determining the blocking rule.
According to an aspect of the present disclosure, there is provided an electronic device including: a processor; and a memory for storing executable instructions of the processor; wherein the processor is configured to perform the method of any one of the above via execution of the executable instructions.
According to an aspect of the present disclosure, there is provided a computer readable storage medium having stored thereon a computer program which, when executed by a processor, implements the method of any one of the above.
Exemplary embodiments of the present disclosure have the following advantageous effects:
acquiring network metadata and system calling metadata; acquiring a blocking rule, and generating a blocking control instruction according to the blocking rule, network metadata and system call metadata; and sending the blocking control instruction to the blocking control node so that the blocking control node performs blocking control from the network side or the system side according to the blocking control instruction. On one hand, the exemplary embodiment provides a new container security protection method, which can perform data monitoring and observation from two levels, namely a network side and a system side, and maintain the security of the container and the system from multiple aspects; on the other hand, based on the acquired network metadata and system call metadata, a blocking control instruction can be generated according to a blocking rule and sent to the blocking control node in time, so that the blocking control node can quickly and effectively block malicious behaviors on the network side or the system side in real time, and the safety of the container is further ensured.
It is to be understood that both the foregoing general description and the following detailed description are exemplary and explanatory only and are not restrictive of the disclosure.
Drawings
The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate embodiments consistent with the present disclosure and together with the description, serve to explain the principles of the disclosure. It is to be understood that the drawings in the following description are merely exemplary of the disclosure, and that other drawings may be derived from those drawings by one of ordinary skill in the art without the exercise of inventive faculty.
FIG. 1 schematically illustrates a flow chart of a method of securing a container in the present exemplary embodiment;
FIG. 2 schematically illustrates a sub-flow diagram of a method of securing a container in the present exemplary embodiment;
FIG. 3 schematically illustrates another sub-flow diagram of a method of securing a container in the exemplary embodiment;
FIG. 4 is a system architecture diagram schematically illustrating a method of securing a container in the exemplary embodiment;
FIG. 5 schematically illustrates a flow chart of another method of securing a container in the exemplary embodiment;
fig. 6 is a block diagram schematically showing the structure of a container safety guard in the present exemplary embodiment;
fig. 7 schematically illustrates an electronic device for implementing the above method in the present exemplary embodiment.
Detailed Description
Example embodiments will now be described more fully with reference to the accompanying drawings. Example embodiments may, however, be embodied in many different forms and should not be construed as limited to the examples set forth herein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of example embodiments to those skilled in the art. The described features, structures, or characteristics may be combined in any suitable manner in one or more embodiments.
The exemplary embodiments of the present disclosure can be applied to a central control node on the container side, where a container refers to a series of processes isolated from other parts of the system, and can have portability and consistency, which meets the use requirements of resources by dividing the resources of the operating system into isolated groups. The container of the present exemplary embodiment may be a parallel container, and generally, the security module in the system may run in a form of a container parallel to an application container of a user, that is, the security module may also be deployed in a form of a container, where the container running the security module may be regarded as a parallel container, and the container may be deployed in a server terminal or a platform, and the disclosure does not specifically limit the present disclosure. The central control node refers to a central control component in the container, and can be implemented by a program or software, and is used for receiving data or issuing instructions and the like.
The exemplary embodiment is further described with reference to fig. 1, and as shown in fig. 1, the container security protection method may include the following steps S110 to S130:
step S110, network metadata and system call metadata are obtained.
The network metadata refers to metadata collected at a network side, such as network quintuple data or process data generating network connection, the system call refers to a main mechanism of interaction between a user space program and a kernel, and the system call metadata refers to metadata generated when the system call is performed, such as a system call name or a call parameter. In this exemplary embodiment, a specific component or node may be set in the container to achieve obtaining of the network metadata and the system call metadata, an obtaining node of the network metadata and an obtaining node of the system call metadata may be set separately, or a unified data obtaining node may also be set.
In an exemplary embodiment, the step S110 may include:
monitoring and acquiring network metadata at a network side by adopting an eBPF technology, and monitoring and acquiring system call metadata at a system side;
the network metadata comprises network link data or network flow data, and the system call metadata comprises system process data or system call parameter data.
Specifically, the network metadata may include network connection data or network traffic data, and specifically, the network connection data may be five-tuple data such as a source IP (Internet Protocol Address) Address, a source port, a destination IP Address, a destination port, and a transport layer Protocol, or process information generating a network connection, such as a process ID (Identity), a process operation command, and the like. Network traffic data refers to the actual payload data, e.g., all the specific traffic packets contained. The system call metadata includes system process data or system call parameter data, where the system process data refers to data related to a process, such as a process ID, a process running command, and the like, and the system call parameter data refers to parameter data generated during system call, such as a system call name, a parameter number, a specific parameter value, a return value, and the like, and when the system call metadata is obtained, all the system call metadata may be obtained, or a part of the system call metadata may be obtained, which is not specifically limited by the present disclosure.
The exemplary embodiment can deploy security monitoring mechanisms from two layers respectively to obtain network metadata and system call metadata, specifically, can perform real-time observation on network traffic at an input/output stream of a network side based on an extended XDP (express data path) technology of an eBPF technology to perform capture of network links and monitoring of network traffic at an internal check; additionally, system call metadata may also be monitored and collected based on eBPF. Finally, the metadata acquired by the network side and the metadata acquired by the system side can be integrated as required, for example, the process, the file, the input/output stream and the network traffic are integrated, so as to realize the monitoring function of the two layers of the network side and the system side.
Step S120, obtaining the blocking rule, and generating a blocking control instruction according to the blocking rule, the network metadata and the system calling metadata.
The blocking rule is a rule strategy for judging whether blocking control needs to be executed, and whether malicious behavior data or illegal data and other data threatening a current container are contained can be determined by judging currently acquired network metadata and system call metadata through the blocking rule. The central control node may generate a blocking control instruction based on the determination result, where the blocking control instruction refers to an instruction for performing blocking control, and specifically may include a network blocking control instruction, that is, an instruction for performing blocking control on a network, and a system blocking control instruction, that is, an instruction for performing blocking control on a system call. In practical applications, the blocking control command may be generated or sent by coding or in other forms, for example, "1" indicates a command to perform blocking, "0" indicates a command not to perform blocking, and the like, and this disclosure is not particularly limited thereto, and specifically, according to different types of blocking control commands, there may be other coding manners, for example, "11" indicates a command to perform network blocking, and "01" indicates a command to perform system blocking, and the like.
In an exemplary embodiment, the obtaining the blocking rule may include:
obtaining a blocking rule from a rule engine node;
and the rule engine node is used for defining malicious behavior data according to the behavior data acquired in advance and determining a blocking rule.
The rule engine node can be a custom-designed rule engine, and the rule engine can collect a large amount of historical behavior data or other behavior data in advance, and defines the malicious behavior data by analyzing and classifying the malicious behavior data, so that the blocking rule is determined and is called by the central control node. In practical application, the rule engine in the rule engine node can update the blocking rule in time in a mode of periodically updating malicious behavior data so as to ensure the accuracy and efficiency of generating the blocking control instruction by the central control node.
Step S130, sending the blocking control instruction to the blocking control node, so that the blocking control node performs blocking control from the network side or the system side according to the blocking control instruction.
Further, the central control node may send the blocking control instruction to the blocking control node, where the blocking control node may be a blocking controller component for performing network blocking or system call blocking, and may be divided into a system side blocking control node and a network side blocking control node according to actual needs, and according to an execution type of the blocking control instruction, the blocking control instruction may be sent to the corresponding blocking control node, so that the system side blocking control node performs blocking control on the system call, or the network side blocking control node performs blocking control on the network, and so on. The blocking control from the network side can be the blocking control of disconnecting the network connection or stopping the network service and the like; the blocking control from the system side may be blocking control for stopping allowing the system call, and the like, and for example, after the blocking control from the system side, it may be assumed that the result of the system call is returned as a failure without actually going to the call.
In this exemplary embodiment, the system side blocking control node and the network side blocking control node may perform blocking control at the same time, for example, the central control node may send different types of blocking control instructions to the corresponding blocking control nodes at the same time, so that the network side and the system side perform blocking control; the blocking control may also not be executed at the same time, for example, after the central control node processes the network metadata to determine the network blocking instruction, the network blocking instruction is sent to the network side blocking control node in real time to enable the network side blocking control node to perform the network blocking control, or after the central control node processes the system calling metadata to determine the system calling blocking control instruction, the system calling blocking control instruction is sent to the system side blocking control node in real time to enable the system side blocking control node to perform the blocking control of the system calling, and the like.
In an exemplary embodiment, the blocking control instruction includes a network blocking control instruction and a system call blocking control instruction, and the blocking control node includes a network side blocking control node and a system side blocking control node;
as shown in fig. 2, the step S130 may include the following steps:
step S210, sending a network blocking control instruction to a network side blocking control node so that the network side blocking control node performs blocking control on the network through a first blocking mechanism;
step S220, sending the system call blocking control instruction to the system side blocking control node, so that the system side blocking control node performs blocking control on the system call through the second blocking mechanism.
In the present exemplary embodiment, different blocking mechanisms may be adopted to perform corresponding blocking control on the network-side blocking control node and the system-side blocking control node, where the first blocking mechanism refers to a blocking mechanism adopted when the network-side blocking control node blocks the network, the blocking mechanism may be an IP Filter (Filter) mechanism, the IP Filter may be installed as a kernel module that can be loaded during running, and may also be directly incorporated into a kernel of an operating system, which is not specifically limited in this disclosure; the second blocking mechanism is a blocking mechanism adopted when the system side blocking control node blocks the system call, and the blocking mechanism may be an IP SecComp (Secure Computing mode) mechanism, where the IP SecComp refers to a kernel security module, and may be used for the system call allowed to be used by the application process. The container is actually a process running on the host, shares the kernel of the host, and if all containers have any system call capability, once the container is invaded, the container is easily bypassed to isolate and change the authority of the host system or enter the host, and the system security is threatened, so the exemplary embodiment can limit the system call of the container through the IP SecComp mechanism, so as to effectively reduce the attack surface.
In an exemplary embodiment, the container security protection method may further include:
defining priority information according to the system event and synchronizing the priority information to an information cache node;
the information caching node is used for caching priority information, and the priority information is used for managing the priority of the network metadata and the priority of the system calling metadata.
In this exemplary embodiment, in addition to acquiring the blocking rule and sending the blocking control instruction, the central control node may further define priority information of different system events, and synchronize the priority information to an information caching node, which may be an information caching component of a Kuberneters cluster. The system events are identified by system calls, and one system call may be considered to correspond to one system event. The priority information of the system call is predefined, the predefined standard is determined by the degree of association with malicious behavior, for example, when the system calls a bind, a system event for developing an external port is defined, and the degree of association with possible malicious behavior is high, then the system event can be preferentially provided to an upper layer, for example, a rule engine for discrimination.
In an exemplary embodiment, before step S110, as shown in fig. 3, the container security protection method may further include the following steps:
step S310, network metadata are respectively obtained from a network side through a data tracking node, system calling metadata are obtained from a system side, and the network metadata and the system calling metadata are synchronized to a data collecting node;
step S320, enabling the data collection node to obtain priority information from the information cache node, adjusting the priority of the network metadata and the priority of the system call metadata according to the collected context information, and inputting the network metadata and the system call metadata into a data cache queue according to the priorities;
further, step S110 may include:
and step S330, acquiring network metadata and system call metadata from the data cache queue according to the priority.
The exemplary embodiment may configure the data trace node to obtain unprocessed network metadata and system call metadata, for example, obtain the network metadata through the network data trace node, obtain the system call metadata through the system data trace node, and enable the data trace node to synchronize the obtained network metadata and system call metadata to the data collection node. The data collection node is used for receiving input network metadata and system call metadata, adjusting priorities of the network metadata and the system call metadata according to context information collected by the central controller, and inputting the network metadata and the system call metadata into the data cache queue according to the priorities, for example, metadata with higher priorities can be input into the data cache queue according to priority ordering.
Further, the central control node may obtain the network metadata and the system call metadata from the data cache queue subjected to the priority processing. By the method, the priorities of different processes can be classified in the kernel mode, the granularity of system tracking of different processes can be effectively controlled by determining and adjusting the priorities of the metadata, and more efficient system tracking is realized.
In an exemplary embodiment, the data buffer queue is a circular queue buffer queue. By storing the network metadata and the system call metadata using the environment buffer area containing the priority sequence, the timeliness and integrity of collection of the network metadata or the system call metadata with higher priority can be ensured.
Based on the above description, in the present exemplary embodiment, network metadata and system call metadata are acquired; acquiring a blocking rule, and generating a blocking control instruction according to the blocking rule, network metadata and system call metadata; and sending the blocking control instruction to the blocking control node so that the blocking control node performs blocking control from the network side or the system side according to the blocking control instruction. On one hand, the exemplary embodiment provides a new container security protection method, which can perform data monitoring and observation from two levels, namely a network side and a system side, and maintain the security of the container and the system from multiple aspects; on the other hand, based on the acquired network metadata and system call metadata, a blocking control instruction can be generated according to a blocking rule and sent to the blocking control node in time, so that the blocking control node can quickly and effectively block malicious behaviors on the network side or the system side in real time, and the safety of the container is further ensured.
Fig. 4 is a schematic diagram of a system architecture of a container security protection method in the exemplary embodiment, and in the parallel container 400, a network data tracing node 410, a system data tracing node 420, a data collecting node 430, an information caching node 440, a data caching queue 450, a central controller 460, a rule engine node 470, a network-side blocking control node 480, and a system-side blocking control node 490 may be respectively included. As shown in fig. 5, the specific implementation may include the following steps:
step S510, obtaining network metadata through the network data tracking node 410, obtaining system call metadata through the system data tracking node 420, and sending the obtained network metadata and system call metadata to the data collection node 430;
step S520, the data collector 430 adjusts the priority of the received network metadata and system call metadata according to the context information and the priority information synchronized with the information cache node 440, and inputs the priority information into the data cache queue 450, wherein the context information is collected by the central controller 460, and the priority information is defined by the central controller 460 and synchronized with the information cache node 440;
in step S530, the central controller 460 extracts the network metadata and the system call metadata from the data cache queue 450 according to the priority, generates a blocking control instruction according to the blocking rule obtained from the rule policy node 470, and sends the blocking control instruction to the network side blocking control node 480 and the system side blocking control node 490, so that the network side blocking control node 480 performs blocking control on the network and the system side blocking control node 490 performs blocking control on the system call.
In the exemplary embodiment, the central controller 460 and the data buffer queue 450 may communicate with each other through a user mode Pipe, where the user mode Pipe refers to a communication mode from a kernel mode to a user mode, and is represented by generating a Pipe file in a user mode file system, and the Pipe file synchronizes data of the kernel mode in real time.
With the present exemplary embodiment, a better technical effect than the prior art can be achieved by performing security protection on a container, and table 1 shows comparative data of system overhead using the prior art and using the present exemplary embodiment;
TABLE 1
Item Prior Art The present exemplary embodiment Increasing the ratio
CPU overhead 12% 8% 50%
Efficiency of analysis (Standard 5 minutes) 83%~50% 99.4%~99.9% 20%~100%
Memory overhead (Single sandbox) 256M~1024M 128M 50%~700%
Table 2 shows the validity evaluation data of the system events using the prior art and using the present exemplary embodiment:
TABLE 2
Figure BDA0003400720340000121
Therefore, whether the effectiveness of the system overhead or the system event is high, the method and the device can obtain a large promoting effect.
The exemplary embodiment of the present disclosure also provides a container safety protection method and apparatus. Referring to fig. 6, the apparatus 600 may include a data obtaining module 610 for obtaining network metadata and system call metadata; the instruction generating module 620 is configured to obtain a blocking rule, and generate a blocking control instruction according to the blocking rule, the network flow metadata, and the system call metadata; the instruction sending module 630 is configured to send the blocking control instruction to the blocking control node, so that the blocking control node performs blocking control from the network side or the system side according to the blocking control instruction.
In an exemplary embodiment, the data acquisition module includes: the data acquisition unit is used for monitoring and acquiring network metadata at a network side by adopting an eBPF technology and monitoring and acquiring system calling metadata at a system side; the network metadata comprises network link data or network flow data, and the system call metadata comprises system process data or system call parameter data.
In an exemplary embodiment, the blocking control instruction includes a network blocking control instruction and a system call blocking control instruction, and the blocking control node includes a network side blocking control node and a system side blocking control node; the instruction sending module comprises: the first blocking control unit is used for sending the network blocking control instruction to the network side blocking control node so that the network side blocking control node can carry out blocking control on the network through a first blocking mechanism; and the second blocking control unit is used for sending the system call blocking control instruction to the system side blocking control node so that the system side blocking control node performs blocking control on the system call through a second blocking mechanism.
In an exemplary embodiment, the container security protection method further includes: the priority information synchronization module is used for defining priority information according to the system event and synchronizing the priority information to the information cache node; the information caching node is used for caching priority information, and the priority information is used for managing the priority of the network metadata and the priority of the system calling metadata.
In an exemplary embodiment, the container security protection method further includes: the data synchronization module is used for respectively acquiring network metadata from a network side through the data tracking node, acquiring system calling metadata from a system side, and synchronizing the network metadata and the system calling metadata to the data collection node; the priority adjusting module is used for enabling the data collecting node to obtain priority information from the information cache node, adjusting the priority of the network metadata and the priority of the system calling metadata according to the collected context information, and inputting the network metadata and the system calling metadata into the data cache queue according to the priorities; and the data acquisition module is used for acquiring the network metadata and the system call metadata from the data cache queue according to the priority.
In an exemplary embodiment, the data buffer queue is a circular buffer queue.
In an exemplary embodiment, the instruction generation module includes: a blocking rule obtaining unit, configured to obtain a blocking rule from a rule engine node; and the rule engine node is used for defining malicious behavior data according to the behavior data acquired in advance and determining a blocking rule.
The specific details of each module/unit in the above-mentioned apparatus have been described in detail in the embodiment of the method section, and the details that are not disclosed may refer to the contents of the embodiment of the method section, and therefore are not described herein again.
Exemplary embodiments of the present disclosure also provide an electronic device capable of implementing the above method.
As will be appreciated by one skilled in the art, aspects of the present disclosure may be embodied as a system, method or program product. Accordingly, various aspects of the present disclosure may be embodied in the form of: an entirely hardware embodiment, an entirely software embodiment (including firmware, microcode, etc.) or an embodiment combining hardware and software aspects that may all generally be referred to herein as a "circuit," module "or" system.
An electronic device 700 according to such an exemplary embodiment of the present disclosure is described below with reference to fig. 7. The electronic device 700 shown in fig. 7 is only an example and should not bring any limitation to the functions and the scope of use of the embodiments of the present disclosure.
As shown in fig. 7, electronic device 700 is embodied in the form of a general purpose computing device. The components of the electronic device 700 may include, but are not limited to: the at least one processing unit 710, the at least one memory unit 720, a bus 730 connecting different system components (including the memory unit 720 and the processing unit 710), and a display unit 740.
Where the memory unit stores program code, the program code may be executed by the processing unit 710 such that the processing unit 710 performs the steps according to various exemplary embodiments of the present disclosure as described in the above-mentioned "exemplary methods" section of this specification. For example, processing unit 710 may perform the steps shown in fig. 1, 2, 3, or 5, and so on.
The storage unit 720 may include readable media in the form of volatile memory units, such as a random access memory unit (RAM)721 and/or a cache memory unit 722, and may further include a read only memory unit (ROM) 723.
The memory unit 720 may also include programs/utilities 724 having a set (at least one) of program modules 725, such program modules 725 including, but not limited to: an operating system, one or more application programs, other program modules, and program data, each of which, or some combination thereof, may comprise an implementation of a network environment.
Bus 730 may be any representation of one or more of several types of bus structures, including a memory unit bus or memory unit controller, a peripheral bus, an accelerated graphics port, a processing unit, or a local bus using any of a variety of bus architectures.
The electronic device 700 may also communicate with one or more external devices 800 (e.g., keyboard, pointing device, bluetooth device, etc.), with one or more devices that enable a user to interact with the electronic device 700, and/or with any devices (e.g., router, modem, etc.) that enable the electronic device 700 to communicate with one or more other computing devices. Such communication may occur via an input/output (I/O) interface 750. Also, the electronic device 700 may communicate with one or more networks (e.g., a Local Area Network (LAN), a Wide Area Network (WAN), and/or a public network such as the internet) via the network adapter 760. As shown, the network adapter 760 communicates with the other modules of the electronic device 700 via the bus 730. It should be appreciated that although not shown in the figures, other hardware and/or software modules may be used in conjunction with the electronic device 700, including but not limited to: microcode, device drivers, redundant processing units, external disk drive arrays, RAID systems, tape drives, and data backup storage systems, among others.
Through the above description of the embodiments, those skilled in the art will readily understand that the exemplary embodiments described herein may be implemented by software, or by software in combination with necessary hardware. Therefore, the technical solution according to the embodiments of the present disclosure may be embodied in the form of a software product, which may be stored in a non-volatile storage medium (which may be a CD-ROM, a usb disk, a removable hard disk, etc.) or on a network, and includes several instructions to enable a computing device (which may be a personal computer, a server, a terminal device, or a network device, etc.) to execute the method according to the exemplary embodiments of the present disclosure.
Exemplary embodiments of the present disclosure also provide a computer-readable storage medium having stored thereon a program product capable of implementing the above-described method of the present specification. In some possible embodiments, various aspects of the disclosure may also be implemented in the form of a program product comprising program code for causing a terminal device to perform the steps according to various exemplary embodiments of the disclosure described in the above-mentioned "exemplary methods" section of this specification, when the program product is run on the terminal device.
Exemplary embodiments of the present disclosure also provide a program product for implementing the above method, which may employ a portable compact disc read only memory (CD-ROM) and include program code, and may be run on a terminal device, such as a personal computer. However, the program product of the present disclosure is not limited thereto, and in this document, a readable storage medium may be any tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device.
The program product may employ any combination of one or more readable media. The readable medium may be a readable signal medium or a readable storage medium. A readable storage medium may be, for example, but not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any combination of the foregoing. More specific examples (a non-exhaustive list) of the readable storage medium include: an electrical connection having one or more wires, a portable disk, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
A computer readable signal medium may include a propagated data signal with readable program code embodied therein, for example, in baseband or as part of a carrier wave. Such a propagated data signal may take many forms, including, but not limited to, electro-magnetic, optical, or any suitable combination thereof. A readable signal medium may also be any readable medium that is not a readable storage medium and that can communicate, propagate, or transport a program for use by or in connection with an instruction execution system, apparatus, or device.
Program code embodied on a readable medium may be transmitted using any appropriate medium, including but not limited to wireless, wireline, optical fiber cable, RF, etc., or any suitable combination of the foregoing.
Program code for carrying out operations for the present disclosure may be written in any combination of one or more programming languages, including an object oriented programming language such as Java, C + + or the like and conventional procedural programming languages, such as the "C" programming language or similar programming languages. The program code may execute entirely on the user's computing device, partly on the user's device, as a stand-alone software package, partly on the user's computing device and partly on a remote computing device, or entirely on the remote computing device or server. In the case of a remote computing device, the remote computing device may be connected to the user computing device through any kind of network, including a Local Area Network (LAN) or a Wide Area Network (WAN), or may be connected to an external computing device (e.g., through the internet using an internet service provider).
Furthermore, the above-described figures are merely schematic illustrations of processes included in methods according to exemplary embodiments of the present disclosure, and are not intended to be limiting. It will be readily understood that the processes shown in the above figures are not intended to indicate or limit the chronological order of the processes. In addition, it is also readily understood that these processes may be performed synchronously or asynchronously, e.g., in multiple modules.
It should be noted that although in the above detailed description several modules or units of the device for action execution are mentioned, such a division is not mandatory. Indeed, the features and functions of two or more modules or units described above may be embodied in one module or unit according to an exemplary embodiment of the present disclosure. Conversely, the features and functions of one module or unit described above may be further divided into embodiments by a plurality of modules or units.
Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure disclosed herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.
It will be understood that the present disclosure is not limited to the precise arrangements described above and shown in the drawings and that various modifications and changes may be made without departing from the scope thereof. The scope of the present disclosure is to be limited only by the following claims.

Claims (10)

1. A container safety protection method is applied to a central control node of a container end, and is characterized by comprising the following steps:
acquiring network metadata and system calling metadata;
acquiring a blocking rule, and generating a blocking control instruction according to the blocking rule, the network metadata and the system calling metadata;
and sending the blocking control instruction to a blocking control node so that the blocking control node performs blocking control from a network side or a system side according to the blocking control instruction.
2. The method of claim 1, wherein obtaining network metadata and system call metadata comprises:
monitoring and collecting the network metadata at a network side by adopting an eBPF technology, and monitoring and collecting the system calling metadata at a system side;
the network metadata comprises network link data or network flow data, and the system calling metadata comprises system process data or system calling parameter data.
3. The method according to claim 2, wherein the blocking control command comprises a network blocking control command and a system call blocking control command, and the blocking control nodes comprise a network side blocking control node and a system side blocking control node;
the sending the blocking control instruction to a blocking control node so that the blocking control node performs blocking control from a network side or a system side according to the blocking control instruction includes:
sending the network blocking control instruction to a network side blocking control node so that the network side blocking control node performs blocking control on the network through a first blocking mechanism;
and sending the system call blocking control instruction to a system side blocking control node so that the system side blocking control node performs blocking control on the system call through a second blocking mechanism.
4. The method of claim 1, further comprising:
defining priority information according to the system event and synchronizing the priority information to an information cache node;
the information caching node is configured to cache the priority information, and the priority information is used to manage priorities of the network metadata and the system call metadata.
5. The method of claim 4, wherein prior to obtaining the network metadata and the system call metadata, the method further comprises:
respectively acquiring the network metadata from a network side through a data tracking node, acquiring the system calling metadata from a system side, and synchronizing the network metadata and the system calling metadata to a data collection node;
enabling the data collection node to obtain priority information from the information cache node, adjusting the priority of the network metadata and the priority of the system call metadata according to the collected context information, and inputting the network metadata and the system call metadata into a data cache queue according to the priorities;
the acquiring the network metadata and the system call metadata includes:
and acquiring the network metadata and the system calling metadata from the data cache queue according to the priority.
6. The method of claim 5, wherein the data buffer queue is a circular buffer queue.
7. The method of claim 1, wherein obtaining the blocking rule comprises:
obtaining the blocking rule from a rule engine node;
and the rule engine node is used for defining malicious behavior data according to the behavior data acquired in advance and determining the blocking rule.
8. A container safety protection device is applied to a central control node at a container end, and is characterized by comprising:
the data acquisition module is used for acquiring network metadata and system calling metadata;
the instruction generation module is used for acquiring a blocking rule and generating a blocking control instruction according to the blocking rule, the network flow metadata and the system call metadata;
and the instruction sending module is used for sending the blocking control instruction to a blocking control node so that the blocking control node carries out blocking control from a network side or a system side according to the blocking control instruction.
9. An electronic device, comprising:
a processor; and
a memory for storing executable instructions of the processor;
wherein the processor is configured to perform the method of any of claims 1-7 via execution of the executable instructions.
10. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processor, carries out the method of any one of claims 1 to 7.
CN202111495830.2A 2021-12-09 2021-12-09 Container safety protection method, container safety protection device, electronic apparatus, and medium Pending CN114168969A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111495830.2A CN114168969A (en) 2021-12-09 2021-12-09 Container safety protection method, container safety protection device, electronic apparatus, and medium

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111495830.2A CN114168969A (en) 2021-12-09 2021-12-09 Container safety protection method, container safety protection device, electronic apparatus, and medium

Publications (1)

Publication Number Publication Date
CN114168969A true CN114168969A (en) 2022-03-11

Family

ID=80484785

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111495830.2A Pending CN114168969A (en) 2021-12-09 2021-12-09 Container safety protection method, container safety protection device, electronic apparatus, and medium

Country Status (1)

Country Link
CN (1) CN114168969A (en)

Similar Documents

Publication Publication Date Title
US10423457B2 (en) Outcome-based software-defined infrastructure
US11023325B2 (en) Resolving and preventing computer system failures caused by changes to the installed software
US9811443B2 (en) Dynamic trace level control
US9509709B2 (en) Mechanism to augment IPS/SIEM evidence information with process history snapshot and application window capture history
US9690553B1 (en) Identifying software dependency relationships
US9280394B2 (en) Automatic cloud provisioning based on related internet news and social network trends
US11675682B2 (en) Agent profiler to monitor activities and performance of software agents
US10191792B2 (en) Application abnormality detection
CN107544832A (en) A kind of monitoring method, the device and system of virtual machine process
US11016897B2 (en) Cache management in a stream computing environment that uses a set of many-core hardware processors
US9785507B2 (en) Restoration of consistent regions within a streaming environment
CN114640713A (en) Data access monitoring and control
US9715448B2 (en) Efficiently using memory for Java collection objects
Pătraşcu et al. Logging framework for cloud computing forensic environments
KR101505468B1 (en) Data comparing processing method and system in cloud computing environment
CN116680699A (en) Vulnerability priority ordering system, vulnerability priority ordering method, computer equipment and storage medium
CN114168969A (en) Container safety protection method, container safety protection device, electronic apparatus, and medium
US20220188290A1 (en) Assigning an anomaly level to a non-instrumented object
US10740030B2 (en) Stopping a plurality of central processing units for data collection based on attributes of tasks
US11757837B2 (en) Sensitive data identification in real time for data streaming
US11516094B2 (en) Service remediation plan generation
US11151121B2 (en) Selective diagnostics for computing systems
US9436523B1 (en) Holistic non-invasive evaluation of an asynchronous distributed software process
US20230409419A1 (en) Techniques for controlling log rate using policy
US20230236922A1 (en) Failure Prediction Using Informational Logs and Golden Signals

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination