CN114615028A - Method for identifying abnormal behavior of container based on normal behavior modeling of container - Google Patents

Method for identifying abnormal behavior of container based on normal behavior modeling of container Download PDF

Info

Publication number
CN114615028A
CN114615028A CN202210178821.9A CN202210178821A CN114615028A CN 114615028 A CN114615028 A CN 114615028A CN 202210178821 A CN202210178821 A CN 202210178821A CN 114615028 A CN114615028 A CN 114615028A
Authority
CN
China
Prior art keywords
container
behavior
model
identifying
abnormal behavior
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN202210178821.9A
Other languages
Chinese (zh)
Other versions
CN114615028B (en
Inventor
李坊
袁曙光
王震
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Xiaoyou Network Technology Co ltd
Original Assignee
Beijing Xiaoyou Network Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Xiaoyou Network Technology Co ltd filed Critical Beijing Xiaoyou Network Technology Co ltd
Priority to CN202210178821.9A priority Critical patent/CN114615028B/en
Publication of CN114615028A publication Critical patent/CN114615028A/en
Application granted granted Critical
Publication of CN114615028B publication Critical patent/CN114615028B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1408Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
    • H04L63/1416Event detection, e.g. attack signature detection
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/14Network analysis or design
    • H04L41/145Network analysis or design involving simulating, designing, planning or modelling of a network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Medical Treatment And Welfare Office Work (AREA)
  • Management, Administration, Business Operations System, And Electronic Commerce (AREA)

Abstract

A method of identifying container abnormal behavior based on container normal behavior modeling, comprising: the defense end is used for collecting the host kernel event and associating the host kernel event with the container information; the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal; and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like. The invention has the advantages of high efficiency, accurate detection, wide applicability and low power consumption.

Description

Method for identifying abnormal behavior of container based on normal behavior modeling of container
The technical field is as follows:
the invention relates to the technical field of cloud computing container intrusion detection methods, in particular to a method for identifying container abnormal behaviors based on container normal behavior modeling.
Background art:
intrusion detection refers to the discovery of intrusion behavior and signs of attack present in a computer or network. Belongs to an active defense technology, and can timely find abnormal invasion and adopt the technology of alarming or other emergency countermeasures.
At present, most of intrusion detection is a security detection technology based on a host, and corresponding products are few in the cloud native field so as to deal with large-scale container deployment projects. For the abnormal behavior detection of the host, if the host safety mode is still adopted, the specific invaded service cannot be positioned, and the early warning and the unified emergency management are inconvenient to carry out.
The invention content is as follows:
in view of this, it is necessary to design a method for identifying abnormal behavior of a container based on normal behavior modeling of the container to solve the problems that, in the prior art, for abnormal behavior detection of a host, if a host security mode is still adopted, a specific invaded service cannot be located, and early warning and unified emergency management are inconvenient to perform.
A method of identifying container abnormal behavior based on container normal behavior modeling, comprising: the defense end is used for collecting the host kernel event and associating the host kernel event with the container information;
the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal;
and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
Preferably, the defence end comprises a plurality of defence containers.
Preferably, the defense containers correspond to the hosts one by one.
Preferably, each defense container is associated with the corresponding host through linux namesapce.
Preferably, the defending end is associated with the data center through load balancing.
Preferably, the data center includes a plurality of servers, and the load balancing is configured to distribute each defense container to the plurality of servers in a balanced manner.
Preferably, the data center and the interactive terminal are associated with each other.
Preferably, the interactive terminal is capable of providing a container behavior record.
Preferably, the data center can perform mirror image model extraction, mirror image model management and model external behavior early warning according to the container behavior record.
Preferably, the interaction terminal can alarm according to a mirror image model in the data center.
In the invention, based on the single attribute and micro-servitization of each module responsibility of the cloud native service, the container behavior can be modeled to replace a single means for matching services such as an intrusion model, so that the method has universality and is necessary, and the method is more suitable for the diversity and complexity of the current commercial application.
Description of the drawings:
FIG. 1 is a schematic diagram of the method for identifying container abnormal behavior based on container normal behavior modeling of the present invention.
The specific implementation mode is as follows:
refer to fig. 1. The overall architecture in this application is divided into the following components:
the defense end comprises a plurality of defense containers, the defense containers correspond to a plurality of hosts one by one and are mainly responsible for collecting kernel events of the hosts, the collected information comprises a process, a file and a network data source, the three data sources are related to container information through a process ID, the container information is obtained through a docker, a crio, a container when the containers run, the detailed information of the containers comprises a mirror image HashID, a process model, a file model and a network model are constructed through the data sources, the process model, the file model and the network model are bound to the mirror image HashID, the model in a learning period is classified into a model internal time, and an event outside the model after learning is an abnormal model. And the model is periodically reported to a data center for unified management.
And the system is responsible for balancing, and each defense container is distributed in a balancing manner corresponding to the upper-level data center Server by adopting a load mode of a service component Round Robin of Kubettetes.
And the data center is responsible for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal.
And the interaction terminal is responsible for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
In the invention, all product components are deployed by adopting a cloud primary scheme and are adaptive to Kubetetes and Openshift clusters. Deploying a defense container at each host end, collecting kernel process events, associating extracted container information with a mirror image through a linux namesapce association container, uniformly summarizing behavior models into different mirror images, gradually learning and perfecting to achieve high consistency of the models with current application, minimizing the sizes of the models and improving the reuse rate of the models.
Furthermore, in the invention, the data center and the interaction end are associated with each other, the interaction end can provide container behavior records, the data center can perform mirror image model extraction, mirror image model management and model external behavior early warning according to the container behavior records, and meanwhile, the interaction end can give an alarm according to a mirror image model in the data center.
In the invention, based on the single attribute and micro-servitization of each module responsibility of the cloud native service, the container behavior can be modeled to replace a single means for matching services such as an intrusion model, so that the method has universality and is necessary, and the method is more suitable for the diversity and complexity of the current commercial application.

Claims (10)

1. A method for identifying container abnormal behavior based on container normal behavior modeling, comprising:
the defense end is used for collecting the host kernel event and associating the host kernel event with the container information;
the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal;
and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
2. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 1, wherein the defending end comprises a plurality of defending containers.
3. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 2, wherein the plurality of defensive containers are in one-to-one correspondence with a plurality of hosts.
4. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 3, wherein each defending container is associated with the corresponding host through linux namesapce.
5. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 2, wherein the defending end is associated with the data center through load balancing.
6. The method of identifying container abnormal behavior based on container normal behavior modeling of claim 5, wherein the datacenter comprises a plurality of servers, the load balancing to evenly distribute each of the defending containers to the plurality of servers.
7. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 1, wherein the data center and the interactive end are interrelated.
8. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 7, wherein the interactive end is capable of providing a container behavior record.
9. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 8, wherein the data center can perform mirror model extraction, mirror model management, and model out-of-behavior early warning according to the container behavior record.
10. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 9, wherein the interaction end is capable of alarming according to a mirror image model in the data center.
CN202210178821.9A 2022-02-25 2022-02-25 Method for identifying abnormal behavior of container based on normal behavior modeling of container Active CN114615028B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210178821.9A CN114615028B (en) 2022-02-25 2022-02-25 Method for identifying abnormal behavior of container based on normal behavior modeling of container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210178821.9A CN114615028B (en) 2022-02-25 2022-02-25 Method for identifying abnormal behavior of container based on normal behavior modeling of container

Publications (2)

Publication Number Publication Date
CN114615028A true CN114615028A (en) 2022-06-10
CN114615028B CN114615028B (en) 2023-06-02

Family

ID=81860006

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210178821.9A Active CN114615028B (en) 2022-02-25 2022-02-25 Method for identifying abnormal behavior of container based on normal behavior modeling of container

Country Status (1)

Country Link
CN (1) CN114615028B (en)

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108471420A (en) * 2018-03-29 2018-08-31 上交所技术有限责任公司 Based on network mode identification and matched vessel safety defence method and device
US20190004917A1 (en) * 2017-06-30 2019-01-03 International Business Machines Corporation Kernel-based power consumption and isolation and defense against emerging power attacks
CN111813497A (en) * 2020-06-30 2020-10-23 绿盟科技集团股份有限公司 Container environment anomaly detection method, device, medium and computer equipment

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20190004917A1 (en) * 2017-06-30 2019-01-03 International Business Machines Corporation Kernel-based power consumption and isolation and defense against emerging power attacks
CN108471420A (en) * 2018-03-29 2018-08-31 上交所技术有限责任公司 Based on network mode identification and matched vessel safety defence method and device
CN111813497A (en) * 2020-06-30 2020-10-23 绿盟科技集团股份有限公司 Container environment anomaly detection method, device, medium and computer equipment

Also Published As

Publication number Publication date
CN114615028B (en) 2023-06-02

Similar Documents

Publication Publication Date Title
US11966820B2 (en) Utilizing machine learning models with a centralized repository of log data to predict events and generate alerts and recommendations
CN111885040A (en) Distributed network situation perception method, system, server and node equipment
CN109471846A (en) User behavior auditing system and method on a kind of cloud based on cloud log analysis
CN111459763B (en) Cross-kubernetes cluster monitoring system and method
WO2020134361A1 (en) State evaluation method for secondary equipment of substation, system, and equipment
CN108989097A (en) A kind of mimicry system of defense threat warning method for visualizing and device
CN112787890B (en) Block chain monitoring system
CN109978547B (en) Risk behavior control method, risk behavior control system, risk behavior control device and storage medium
WO2021084020A1 (en) Detection of security threats in a network environment
CN113434575B (en) Data attribution processing method, device and storage medium based on data warehouse
CN117155771B (en) Equipment cluster fault tracing method and device based on industrial Internet of things
CN114615028A (en) Method for identifying abnormal behavior of container based on normal behavior modeling of container
WO2024037328A1 (en) Global data control method and apparatus for network security of industrial control system of nuclear power plant
CN107808238A (en) A kind of management method and system for equipping assets
CN109347205A (en) A kind of intelligent control power supply unit and its realize system
CN108509314A (en) A kind of host operating index monitoring alarm method and system device
CN115659351B (en) Information security analysis method, system and equipment based on big data office
CN116069618A (en) Application scene-oriented domestic system evaluation method
CN114385453A (en) Database cluster exception handling method, device, equipment and medium
CN114490137A (en) Service data real-time statistical method and device, electronic equipment and readable storage medium
CN113393159A (en) Intelligent wind control platform system, device and equipment based on associated network
CN113556348A (en) Server asset management system based on integrated monitoring
CN110175752A (en) A kind of post-loan management system based on multi-energy data
CN108228881A (en) One kind is based on Linux server log analysis result methods of exhibiting
CN106909976A (en) A kind of intelligent building facilities management system

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant