CN114615028A - Method for identifying abnormal behavior of container based on normal behavior modeling of container - Google Patents
Method for identifying abnormal behavior of container based on normal behavior modeling of container Download PDFInfo
- Publication number
- CN114615028A CN114615028A CN202210178821.9A CN202210178821A CN114615028A CN 114615028 A CN114615028 A CN 114615028A CN 202210178821 A CN202210178821 A CN 202210178821A CN 114615028 A CN114615028 A CN 114615028A
- Authority
- CN
- China
- Prior art keywords
- container
- behavior
- model
- identifying
- abnormal behavior
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L41/00—Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
- H04L41/14—Network analysis or design
- H04L41/145—Network analysis or design involving simulating, designing, planning or modelling of a network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- Y—GENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
- Y02—TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
- Y02D—CLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
- Y02D10/00—Energy efficient computing, e.g. low power processors, power management or thermal management
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Security & Cryptography (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Medical Treatment And Welfare Office Work (AREA)
- Management, Administration, Business Operations System, And Electronic Commerce (AREA)
Abstract
A method of identifying container abnormal behavior based on container normal behavior modeling, comprising: the defense end is used for collecting the host kernel event and associating the host kernel event with the container information; the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal; and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like. The invention has the advantages of high efficiency, accurate detection, wide applicability and low power consumption.
Description
The technical field is as follows:
the invention relates to the technical field of cloud computing container intrusion detection methods, in particular to a method for identifying container abnormal behaviors based on container normal behavior modeling.
Background art:
intrusion detection refers to the discovery of intrusion behavior and signs of attack present in a computer or network. Belongs to an active defense technology, and can timely find abnormal invasion and adopt the technology of alarming or other emergency countermeasures.
At present, most of intrusion detection is a security detection technology based on a host, and corresponding products are few in the cloud native field so as to deal with large-scale container deployment projects. For the abnormal behavior detection of the host, if the host safety mode is still adopted, the specific invaded service cannot be positioned, and the early warning and the unified emergency management are inconvenient to carry out.
The invention content is as follows:
in view of this, it is necessary to design a method for identifying abnormal behavior of a container based on normal behavior modeling of the container to solve the problems that, in the prior art, for abnormal behavior detection of a host, if a host security mode is still adopted, a specific invaded service cannot be located, and early warning and unified emergency management are inconvenient to perform.
A method of identifying container abnormal behavior based on container normal behavior modeling, comprising: the defense end is used for collecting the host kernel event and associating the host kernel event with the container information;
the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal;
and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
Preferably, the defence end comprises a plurality of defence containers.
Preferably, the defense containers correspond to the hosts one by one.
Preferably, each defense container is associated with the corresponding host through linux namesapce.
Preferably, the defending end is associated with the data center through load balancing.
Preferably, the data center includes a plurality of servers, and the load balancing is configured to distribute each defense container to the plurality of servers in a balanced manner.
Preferably, the data center and the interactive terminal are associated with each other.
Preferably, the interactive terminal is capable of providing a container behavior record.
Preferably, the data center can perform mirror image model extraction, mirror image model management and model external behavior early warning according to the container behavior record.
Preferably, the interaction terminal can alarm according to a mirror image model in the data center.
In the invention, based on the single attribute and micro-servitization of each module responsibility of the cloud native service, the container behavior can be modeled to replace a single means for matching services such as an intrusion model, so that the method has universality and is necessary, and the method is more suitable for the diversity and complexity of the current commercial application.
Description of the drawings:
FIG. 1 is a schematic diagram of the method for identifying container abnormal behavior based on container normal behavior modeling of the present invention.
The specific implementation mode is as follows:
refer to fig. 1. The overall architecture in this application is divided into the following components:
the defense end comprises a plurality of defense containers, the defense containers correspond to a plurality of hosts one by one and are mainly responsible for collecting kernel events of the hosts, the collected information comprises a process, a file and a network data source, the three data sources are related to container information through a process ID, the container information is obtained through a docker, a crio, a container when the containers run, the detailed information of the containers comprises a mirror image HashID, a process model, a file model and a network model are constructed through the data sources, the process model, the file model and the network model are bound to the mirror image HashID, the model in a learning period is classified into a model internal time, and an event outside the model after learning is an abnormal model. And the model is periodically reported to a data center for unified management.
And the system is responsible for balancing, and each defense container is distributed in a balancing manner corresponding to the upper-level data center Server by adopting a load mode of a service component Round Robin of Kubettetes.
And the data center is responsible for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal.
And the interaction terminal is responsible for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
In the invention, all product components are deployed by adopting a cloud primary scheme and are adaptive to Kubetetes and Openshift clusters. Deploying a defense container at each host end, collecting kernel process events, associating extracted container information with a mirror image through a linux namesapce association container, uniformly summarizing behavior models into different mirror images, gradually learning and perfecting to achieve high consistency of the models with current application, minimizing the sizes of the models and improving the reuse rate of the models.
Furthermore, in the invention, the data center and the interaction end are associated with each other, the interaction end can provide container behavior records, the data center can perform mirror image model extraction, mirror image model management and model external behavior early warning according to the container behavior records, and meanwhile, the interaction end can give an alarm according to a mirror image model in the data center.
In the invention, based on the single attribute and micro-servitization of each module responsibility of the cloud native service, the container behavior can be modeled to replace a single means for matching services such as an intrusion model, so that the method has universality and is necessary, and the method is more suitable for the diversity and complexity of the current commercial application.
Claims (10)
1. A method for identifying container abnormal behavior based on container normal behavior modeling, comprising:
the defense end is used for collecting the host kernel event and associating the host kernel event with the container information;
the data center is used for uniformly managing the duplicate removal, classification, size and the like of the model and storing the model through a cloud native deployed database or a third-party database provided by the B terminal;
and the interaction terminal is used for Web presentation and user interaction, and provides interaction capabilities such as risk early warning, model management, container historical behavior audit and the like.
2. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 1, wherein the defending end comprises a plurality of defending containers.
3. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 2, wherein the plurality of defensive containers are in one-to-one correspondence with a plurality of hosts.
4. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 3, wherein each defending container is associated with the corresponding host through linux namesapce.
5. The method for identifying container abnormal behavior based on container normal behavior modeling of claim 2, wherein the defending end is associated with the data center through load balancing.
6. The method of identifying container abnormal behavior based on container normal behavior modeling of claim 5, wherein the datacenter comprises a plurality of servers, the load balancing to evenly distribute each of the defending containers to the plurality of servers.
7. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 1, wherein the data center and the interactive end are interrelated.
8. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 7, wherein the interactive end is capable of providing a container behavior record.
9. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 8, wherein the data center can perform mirror model extraction, mirror model management, and model out-of-behavior early warning according to the container behavior record.
10. The method for identifying container abnormal behavior based on container normal behavior modeling according to claim 9, wherein the interaction end is capable of alarming according to a mirror image model in the data center.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210178821.9A CN114615028B (en) | 2022-02-25 | 2022-02-25 | Method for identifying abnormal behavior of container based on normal behavior modeling of container |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202210178821.9A CN114615028B (en) | 2022-02-25 | 2022-02-25 | Method for identifying abnormal behavior of container based on normal behavior modeling of container |
Publications (2)
Publication Number | Publication Date |
---|---|
CN114615028A true CN114615028A (en) | 2022-06-10 |
CN114615028B CN114615028B (en) | 2023-06-02 |
Family
ID=81860006
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202210178821.9A Active CN114615028B (en) | 2022-02-25 | 2022-02-25 | Method for identifying abnormal behavior of container based on normal behavior modeling of container |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN114615028B (en) |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
US20190004917A1 (en) * | 2017-06-30 | 2019-01-03 | International Business Machines Corporation | Kernel-based power consumption and isolation and defense against emerging power attacks |
CN111813497A (en) * | 2020-06-30 | 2020-10-23 | 绿盟科技集团股份有限公司 | Container environment anomaly detection method, device, medium and computer equipment |
-
2022
- 2022-02-25 CN CN202210178821.9A patent/CN114615028B/en active Active
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20190004917A1 (en) * | 2017-06-30 | 2019-01-03 | International Business Machines Corporation | Kernel-based power consumption and isolation and defense against emerging power attacks |
CN108471420A (en) * | 2018-03-29 | 2018-08-31 | 上交所技术有限责任公司 | Based on network mode identification and matched vessel safety defence method and device |
CN111813497A (en) * | 2020-06-30 | 2020-10-23 | 绿盟科技集团股份有限公司 | Container environment anomaly detection method, device, medium and computer equipment |
Also Published As
Publication number | Publication date |
---|---|
CN114615028B (en) | 2023-06-02 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11966820B2 (en) | Utilizing machine learning models with a centralized repository of log data to predict events and generate alerts and recommendations | |
CN111885040A (en) | Distributed network situation perception method, system, server and node equipment | |
CN109471846A (en) | User behavior auditing system and method on a kind of cloud based on cloud log analysis | |
CN111459763B (en) | Cross-kubernetes cluster monitoring system and method | |
WO2020134361A1 (en) | State evaluation method for secondary equipment of substation, system, and equipment | |
CN108989097A (en) | A kind of mimicry system of defense threat warning method for visualizing and device | |
CN112787890B (en) | Block chain monitoring system | |
CN109978547B (en) | Risk behavior control method, risk behavior control system, risk behavior control device and storage medium | |
WO2021084020A1 (en) | Detection of security threats in a network environment | |
CN113434575B (en) | Data attribution processing method, device and storage medium based on data warehouse | |
CN117155771B (en) | Equipment cluster fault tracing method and device based on industrial Internet of things | |
CN114615028A (en) | Method for identifying abnormal behavior of container based on normal behavior modeling of container | |
WO2024037328A1 (en) | Global data control method and apparatus for network security of industrial control system of nuclear power plant | |
CN107808238A (en) | A kind of management method and system for equipping assets | |
CN109347205A (en) | A kind of intelligent control power supply unit and its realize system | |
CN108509314A (en) | A kind of host operating index monitoring alarm method and system device | |
CN115659351B (en) | Information security analysis method, system and equipment based on big data office | |
CN116069618A (en) | Application scene-oriented domestic system evaluation method | |
CN114385453A (en) | Database cluster exception handling method, device, equipment and medium | |
CN114490137A (en) | Service data real-time statistical method and device, electronic equipment and readable storage medium | |
CN113393159A (en) | Intelligent wind control platform system, device and equipment based on associated network | |
CN113556348A (en) | Server asset management system based on integrated monitoring | |
CN110175752A (en) | A kind of post-loan management system based on multi-energy data | |
CN108228881A (en) | One kind is based on Linux server log analysis result methods of exhibiting | |
CN106909976A (en) | A kind of intelligent building facilities management system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination | ||
GR01 | Patent grant | ||
GR01 | Patent grant |