CN115080291A - Container abnormal behavior processing method and device - Google Patents

Container abnormal behavior processing method and device Download PDF

Info

Publication number
CN115080291A
CN115080291A CN202210695561.2A CN202210695561A CN115080291A CN 115080291 A CN115080291 A CN 115080291A CN 202210695561 A CN202210695561 A CN 202210695561A CN 115080291 A CN115080291 A CN 115080291A
Authority
CN
China
Prior art keywords
container
behavior
abnormal
log
result
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202210695561.2A
Other languages
Chinese (zh)
Inventor
郭皎
巨汉基
崔文武
崔凯
张东晖
韩迪
丁恒春
王杰
易忠林
谭志强
刘晓天
燕凯
郭磊
檀政
杨坡
祝恩国
庞富宽
袁瑞铭
李文文
王晨
汪洋
赵思翔
王亚超
彭鑫霞
张旭
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
State Grid Corp of China SGCC
State Grid Jibei Electric Power Co Ltd
Original Assignee
State Grid Corp of China SGCC
State Grid Jibei Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by State Grid Corp of China SGCC, State Grid Jibei Electric Power Co Ltd filed Critical State Grid Corp of China SGCC
Priority to CN202210695561.2A priority Critical patent/CN115080291A/en
Publication of CN115080291A publication Critical patent/CN115080291A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/079Root cause analysis, i.e. error or fault diagnosis
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F11/00Error detection; Error correction; Monitoring
    • G06F11/07Responding to the occurrence of a fault, e.g. fault tolerance
    • G06F11/0703Error or fault processing not based on redundancy, i.e. by taking additional measures to deal with the error or fault not making use of redundancy in operation, in hardware, or in data representation
    • G06F11/0766Error or fault reporting or storing
    • G06F11/0775Content or structure details of the error report, e.g. specific table structure, specific error fields
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/04Architecture, e.g. interconnection topology
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06NCOMPUTING ARRANGEMENTS BASED ON SPECIFIC COMPUTATIONAL MODELS
    • G06N3/00Computing arrangements based on biological models
    • G06N3/02Neural networks
    • G06N3/08Learning methods

Landscapes

  • Engineering & Computer Science (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • Biomedical Technology (AREA)
  • General Health & Medical Sciences (AREA)
  • Data Mining & Analysis (AREA)
  • Evolutionary Computation (AREA)
  • Computational Linguistics (AREA)
  • Molecular Biology (AREA)
  • Computing Systems (AREA)
  • Biophysics (AREA)
  • Artificial Intelligence (AREA)
  • Mathematical Physics (AREA)
  • Software Systems (AREA)
  • Life Sciences & Earth Sciences (AREA)
  • Quality & Reliability (AREA)
  • Storage Device Security (AREA)

Abstract

The embodiment of the invention provides a method and a device for processing abnormal behaviors of a container, wherein the method comprises the following steps: performing abnormity detection on the acquired behavior log of the container; if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy; and exception processing is carried out on the container according to the decision result, exception analysis can be carried out from the behavior of the container, and the accuracy of safety protection is improved, so that the confidentiality, the integrity, the reliability and the usability of information are ensured.

Description

Container abnormal behavior processing method and device
Technical Field
The invention relates to the technical field of computers, in particular to the technical field of artificial intelligence, and particularly relates to a method and a device for processing abnormal behaviors of a container.
Background
The container engine (Docker) is a lightweight virtualization solution, which gradually shows great advantages in various fields and is widely applied, but also exposes many security problems. Due to the characteristics of the Docker, the Docker has poor isolation and complex security reinforcement, so that the safety problems of container escape, paralysis of the container and a host machine, user data leakage and the like are easy to occur. Most safety protection schemes proposed by the related art are based on a Docker single node, but the application is more widely based on a micro-service application deployment mode of a Docker container cluster at present; moreover, most of the existing Docker security schemes are prevention schemes for attack behaviors, the accuracy of security protection is low, and the confidentiality, integrity, reliability and usability of information cannot be guaranteed.
Disclosure of Invention
An object of the present invention is to provide a container abnormal behavior processing method, which can perform abnormal analysis from container behaviors, and improve the accuracy of security protection, thereby ensuring the confidentiality, integrity, reliability, and availability of information. Another object of the present invention is to provide a container abnormal behavior processing apparatus. It is yet another object of the present invention to provide a computer readable medium. It is a further object of the present invention to provide a computer apparatus.
In order to achieve the above object, in one aspect, the present invention discloses a container abnormal behavior processing method, including:
performing abnormity detection on the acquired behavior log of the container;
if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy;
and carrying out exception handling on the container according to the decision result.
Preferably, before performing anomaly detection on the acquired behavior log of the container, the method further includes:
and acquiring a behavior log of the container through a log acquisition tool and a log extraction command.
Preferably, the performing anomaly detection on the acquired behavior log of the container includes:
and carrying out anomaly detection on the behavior log through the constructed anomaly detection model to obtain a detection result, wherein the detection result comprises an abnormal behavior or a normal behavior.
Preferably, the log extracting command includes at least one of a run log command, an event command and a history command;
acquiring a behavior log of the container through a log collection tool and a log extraction command, wherein the behavior log comprises the following steps:
acquiring behavior log source data through a log acquisition tool;
extracting the running logs of all processes in the container from the behavior log source data through a running log command;
extracting a system event log from the behavior log source data through an event command;
extracting historical version information of the specified mirror image from the behavior log source data through a historical command;
and generating a behavior log according to the running log, the system event log and the historical version information of the specified mirror image.
Preferably, before performing anomaly detection on the behavior log through the constructed anomaly detection model to obtain a detection result, the detection result includes an abnormal behavior or a normal behavior, the method further includes:
normalizing and splicing the obtained sample logs to obtain a sample vector, wherein the sample logs comprise normal sample logs carrying normal labels and abnormal sample logs carrying abnormal labels;
and training the deep learning model through the sample log to obtain an abnormality detection model.
Preferably, the abnormal behavior comprises an improper access request;
generating a corresponding decision result according to the abnormal behavior by the set abnormal decision strategy, wherein the decision result comprises the following steps:
matching a decision strategy corresponding to the improper access request from the abnormal decision strategies, wherein the decision strategies comprise an access stopping command, a permission decision strategy and a file isolation decision strategy;
judging the abnormal behavior through the authority judgment strategy and the file isolation judgment strategy to obtain an authority result and an isolation result;
and generating a decision result according to the access stopping command, the permission result and the isolation result.
Preferably, the method for determining the abnormal behavior through the permission determination policy and the file isolation determination policy to obtain the permission result and the isolation result includes:
judging the operation authority of the container to which the abnormal behavior belongs through an authority judgment strategy to obtain a corresponding authority result;
and judging the file type corresponding to the abnormal behavior through a file isolation judgment strategy to obtain a corresponding isolation result.
Preferably, the determining the operation permission of the container to which the abnormal behavior belongs through the permission determination policy to obtain a corresponding permission result includes:
and if the operation authority of the container to which the abnormal behavior belongs is the priority privilege, matching the authority result of closing the priority privilege through the authority judgment strategy.
Preferably, the determining the file type corresponding to the abnormal behavior through the file isolation determination policy to obtain a corresponding isolation result includes:
if the file type corresponding to the abnormal behavior comprises a system kernel, judging whether the container is mounted to a kernel folder in a violation manner or not through a file isolation judgment strategy;
and if so, generating an isolation result for removing the mount and isolating the kernel folder.
Preferably, the decision result comprises an access stopping command, an authority result and an isolation result, wherein the authority result is a priority closing privilege, and the isolation result is a kernel folder which is removed from mounting and isolated;
and performing exception handling on the container according to a decision result, wherein the exception handling comprises the following steps:
stopping the access request of the container in response to the stop access command; closing the priority privilege of the container in response to the permission result; and responding to the isolation result, relieving the mount between the container and the kernel folder, and isolating the kernel folder.
The invention also discloses a device for processing the abnormal behavior of the container, which comprises: the system comprises a log system unit, an abnormality detection unit, an abnormality decision unit and an abnormality processing unit;
the log system unit is used for sending the behavior log of the container to the abnormality detection unit;
the anomaly detection unit is used for carrying out anomaly detection on the behavior log of the container; if the abnormal behavior is detected, the abnormal behavior is sent to an abnormal decision unit;
the exception decision unit is used for generating a corresponding decision result according to the exception behavior through the set exception decision strategy and sending the decision result to the exception processing unit;
and the exception handling unit is used for carrying out exception handling on the container according to the decision result.
The invention also discloses a computer-readable medium, on which a computer program is stored which, when executed by a processor, implements a method as described above.
The invention also discloses a computer device comprising a memory for storing information comprising program instructions and a processor for controlling the execution of the program instructions, the processor implementing the method as described above when executing the program.
The invention also discloses a computer program product comprising computer programs/instructions which, when executed by a processor, implement the method as described above.
The invention carries out abnormity detection on the behavior log of the acquired container; if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy; and exception processing is carried out on the container according to the decision result, exception analysis can be carried out from the behavior of the container, and the accuracy of safety protection is improved, so that the confidentiality, the integrity, the reliability and the usability of information are ensured.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present invention, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
FIG. 1 is a logic diagram of container exception handling according to an embodiment of the present invention;
fig. 2 is a flowchart of a container abnormal behavior processing method according to an embodiment of the present invention;
fig. 3 is a flowchart of another container abnormal behavior processing method according to an embodiment of the present invention;
fig. 4 is a schematic structural diagram of a container abnormal behavior processing apparatus according to an embodiment of the present invention;
fig. 5 is a schematic structural diagram of a computer device according to an embodiment of the present invention.
Detailed Description
The technical solutions in the embodiments of the present invention will be clearly and completely described below with reference to the drawings in the embodiments of the present invention, and it is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments, which can be derived by a person skilled in the art from the embodiments given herein without making any creative effort, shall fall within the protection scope of the present invention.
In order to facilitate understanding of the technical solutions provided in the present application, the following first describes relevant contents of the technical solutions in the present application. At present, in an electric power system, equipment for measuring the electric energy meter, a terminal, a digital meter and the like all depend on a mature operating system, and if the equipment is limited and restricted by external technologies, the software ecology of the current measuring equipment is damaged, a proper operating system cannot be selected and matched, and the catastrophic problem that the research and development and the application of the equipment are influenced is caused. Therefore, based on the current situation of the current power system terminal device, it is necessary to develop key technical research on the lightweight embedded operating system, and research, develop and design the autonomous, safe and controllable underlying operating system and its basic application of the intelligent measurement device. The invention discloses a convergence terminal applied to a system, which belongs to one of terminals, wherein the developed lightweight embedded operating system is used, the system uses a Docker technology to carry out system security isolation, and a security solution is provided for the Docker based on the security problem of the Docker. The invention discloses a convergence terminal applied to a system, which belongs to one of terminals, wherein the developed lightweight embedded operating system is used, the system is used for carrying out security isolation on the system by applying a container engine (Docker) technology, and a security solution is provided for the system based on the security problem of the Docker. The intelligent power grid is based on modern information technology, is a digital power grid established on the basis of an integrated, high-speed and bidirectional communication network, and covers all links of power generation, power transmission and transformation, scheduling, power distribution and users. As an emerging cloud platform, Docker breaks through the traditional cloud computing form based on a virtual machine, and provides a platform required for building, publishing and running distributed applications for developers by taking a container as a basic unit. Aiming at the problems in the aspect of Docker safety, the invention provides a scheme for recording and analyzing Docker behaviors and making corresponding decisions and treatments. When the container is abnormal or is attacked and held, the system may be adversely affected by ways of improper access requests, frequent access to the database, excessive resource occupation and the like, and various actions of the Docker are recorded and analyzed, so that abnormal conditions can be found in advance and processed in time, and normal operation of the system is ensured.
The following describes an implementation process of the container abnormal behavior processing method according to the embodiment of the present invention, taking a container abnormal behavior processing apparatus as an example of an execution subject. It can be understood that the executing subject of the container abnormal behavior processing method provided by the embodiment of the present invention includes, but is not limited to, a container abnormal behavior processing apparatus.
The first embodiment is as follows:
fig. 1 is a logic diagram of container exception handling according to an embodiment of the present invention, and as shown in fig. 1, container behaviors of a Docker container are recorded in a log system, and the container behaviors include, but are not limited to, a running condition, a read file, and resource usage; the log system transmits log data to the abnormality detection module at regular time, and the abnormality detection module detects abnormal behaviors according to the log data, wherein the abnormal behaviors include but are not limited to improper access requests, frequent access to a database and excessive resource occupation; the anomaly detection module sends the detected abnormal behavior to the decision module; the decision module obtains a decision result according to the abnormal behavior through a set abnormal decision strategy, wherein the decision result comprises but is not limited to access control, resource limitation and forced container closing; the decision module sends the decision result to the processing module; and the processing module calls a set processing mechanism to perform exception handling operation on the container according to the decision result, wherein the processing mechanism comprises but is not limited to a Security system Security module (LSM) hook function, a control group (Cgroup) and a Docker instruction.
Example two:
fig. 2 is a flowchart of a container abnormal behavior processing method according to an embodiment of the present invention, and as shown in fig. 2, the method includes:
and 101, carrying out abnormity detection on the acquired behavior log of the container.
And 102, if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy.
And 103, performing exception handling on the container according to the decision result.
According to the technical scheme provided by the embodiment of the invention, the obtained behavior log of the container is subjected to anomaly detection; if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy; and exception processing is carried out on the container according to the decision result, exception analysis can be carried out from the behavior of the container, and the accuracy of safety protection is improved, so that the confidentiality, the integrity, the reliability and the usability of information are ensured.
Example three:
fig. 3 is a flowchart of another container abnormal behavior processing method according to an embodiment of the present invention, as shown in fig. 3, the method includes:
step 201, acquiring a behavior log of the container.
Specifically, a behavior log of the container is obtained through a log collection tool and a log extraction command.
In the embodiment of the invention, the log system provides the running state information of the Docker container and stores the running state information in a log mode. The operation state information includes, but is not limited to, operation information, read-write file records, and resource occupation status.
In the embodiment of the invention, the log collection tool is a fluent tool, the fluent is an open-source general log collection and distribution system, and the behavior log source data can be collected from a plurality of data sources and distributed to a plurality of storage and processing systems after being filtered and processed. In particular, collection of behavior log source data is achieved through a fluent tool.
In the embodiment of the invention, the Docker container provides a plurality of log extraction commands, the log extraction commands include but are not limited to log (logs) running commands, event (events) commands and history (history) commands, and the logs commands can print out the running logs of the processes in the container; events commands will print out real-time system events; the history command prints out the historical version information of the specified image, namely: command records for each layer of the image are built. Specifically, through logs commands, extracting running logs of all processes in a container from behavior log source data; extracting a system event log from behavior log source data through events commands; extracting historical version information of a specified mirror image from behavior log source data through a history command; and generating a behavior log according to the running log, the system event log and the historical version information of the specified mirror image.
Further, the Cgroup component of the Docker obtains information such as access requests and modification records of the container to files and databases, resource conditions occupied by container processes during operation, and the like, performs log storage on the information to obtain read file records and resource occupation conditions, and provides a basis for subsequent anomaly detection together with the operation log, the system event log and the historical version information of the designated mirror image provided by the Docker. And generating a behavior log according to the operation log, the system event log, the read file record, the occupied resource condition and the historical version information of the specified mirror image, and providing an all-round basis for subsequent abnormal detection.
As an alternative, the storage of the behavior log may be implemented by a database based on distributed file storage (MongoDB) as a back-end database.
Step 202, performing anomaly detection on the acquired behavior log of the container, and if an abnormal behavior is detected, continuing to execute step 203; if no abnormal behavior is detected, the process is ended.
In the embodiment of the invention, each step is executed by the container abnormal behavior processing device.
Specifically, the behavior log is subjected to anomaly detection through the constructed anomaly detection model to obtain a detection result, wherein the detection result comprises an abnormal behavior or a normal behavior.
In the embodiment of the invention, the acquired sample logs are normalized and spliced to obtain a sample vector; and training the deep learning model through the sample log to obtain an anomaly detection model. Specifically, a sample log is obtained, wherein the sample log is a behavior sample of the container and comprises a normal sample log and an abnormal sample log, the normal sample log carries a normal label, and the abnormal sample log carries an abnormal label; carrying out normalization processing on the sample log to obtain a normalized sample log; splicing the normalized sample logs to obtain a sample vector; and inputting the sample vector into a deep learning model for model training, and constructing to obtain an abnormality detection model. As an alternative, the normal sample logs include, but are not limited to, behavior logs of legitimate requests, normal accesses, and occupied legitimate resources, and the abnormal sample logs include, but are not limited to, behavior logs of inappropriate access requests, frequent abnormal accesses, and occupied excess resources. For example: access requests for accessing files of which the host is limited by access, accessing readable and writable mirror image layers of other containers and the like are all judged as improper access requests; if the memory usage rate occupied by a process exceeds a certain usage rate threshold, the process is judged to occupy excessive resources.
Specifically, the behavior log is input into an abnormal detection model, abnormal fields in the abnormal detection model are selected by comparing the conventional normal container behavior with the conventional abnormal container attack behavior, the selected abnormal fields are subjected to normalized splicing to obtain characteristic vectors, classification is performed through deep learning, whether abnormal behaviors exist is judged, if yes, a detection result of container behavior abnormality is output, and the detection result comprises the abnormal behaviors; if not, outputting the detection result that the container behavior is normal, and if the detection result comprises normal behavior, not processing.
As an alternative, the selecting the exception field specifically includes: judging whether the equipment without access authority has a record of accessing the equipment by comparing the values of the equipment (device) fields, if so, the device fields are abnormal fields; if not, the device field is a normal field; judging whether the cpu act on the situation of improper resource occupation with high frequency more than 90% by comparing the value of the cpu act field, if so, the cpu act field is an abnormal field; if not, the cpu access field is a normal field; judging whether the memory field has improper border-crossing access conditions and records or not by comparing the values of the memory field, if so, taking the memory field as an abnormal field; if not, the memory field is a normal field.
It is to be noted that the fields for comparison are not limited to the device field, cpu act field, and memory field described above, and may further include a block device (blkio) field, a central processor (cpu) field, a central processor node (cpu set) field, a freeze authority (Freezer) field, a test (perf _ event) field, and a network (net _ cls) field. The blkio field is responsible for input and output control of block devices, such as a hard disk, usb, and the like; the cpu field is used to control the use of cpu; the cpu set field is used for distributing the established cpu and the memory nodes; the cpu acct field is used for counting the use condition of cpu resources; the device field is used for controlling the access authority of the equipment; the memory field is used for setting the use limit of the memory and generating a report; the Freezer field is used to allow processes in the cgroup to be suspended or resumed; the perf _ event field is used to allow perf tools to perform uniform performance testing based on Cgroup groupings; the net _ cls field is used to limit the network bandwidth.
And 203, generating a corresponding decision result according to the abnormal behavior through the set abnormal decision strategy.
In the embodiment of the present invention, the exception decision policy is set according to actual requirements, which is not limited in the embodiment of the present invention.
As an alternative, the abnormal behavior includes an improper access request, and step 203 specifically includes:
step 2031, matching out a decision policy corresponding to the improper access request from the abnormal decision policies, where the decision policy includes an access stop command, an authority decision policy, and a file isolation decision policy.
In the embodiment of the present invention, the abnormal decision policy may be configured with various decision policies corresponding to the abnormal behavior of the improper access request, including but not limited to a stop access command, an authority decision policy, and a file isolation decision policy. Wherein, the stop access command is an improper access request for rejecting the container, and the permission judgment policy and the file isolation policy need to further perform judgment processing according to the property and behavior of the container.
It should be noted that the decision policy corresponding to the improper access request may further include other decision policies, which may be configured specifically according to actual situations, and this is not limited in the embodiment of the present invention.
Step 2032, through the permission judgment strategy and the file isolation judgment strategy, the abnormal behavior is judged to obtain a permission result and an isolation result.
Specifically, the operation authority of the container to which the abnormal behavior belongs is judged through an authority judgment strategy, and a corresponding authority result is obtained. For example: judging whether the operation authority of the container to which the abnormal behavior belongs is a priority (Privileged) privilege or not, and matching an authority result for closing the priority privilege through an authority judgment strategy if the operation authority of the container to which the abnormal behavior belongs is the Privileged privilege; and if the operation authority of the container to which the abnormal behavior belongs is not the Privileged privilege, not processing.
It should be noted that the permission determination policy may further have other determination conditions, which is not limited in the embodiment of the present invention.
Specifically, the file type corresponding to the abnormal behavior is judged through a file isolation judgment strategy, and a corresponding isolation result is obtained. For example: taking the example that the abnormal behavior comprises the improper access request as an example, judging whether the file type of the access file of the improper access request comprises a system kernel, if not, indicating that the file type corresponding to the abnormal behavior does not comprise the system kernel, and judging an isolation result which is not processed through a file isolation judgment strategy; if so, the file type corresponding to the abnormal behavior comprises a system kernel, and the judgment of continuously judging whether the container is mounted to the kernel folder in a violation mode is matched through a file isolation judgment strategy; if so, generating an isolation result for removing the mount and isolating the kernel folder; if not, generating an isolation result without processing.
It should be noted that the file isolation policy may further have other decision conditions, which is not limited in the embodiment of the present invention.
Step 2033, generating a decision result according to the access stop command, the permission result and the isolation result.
It should be noted that the decision result may also include other results, which is not limited in the embodiment of the present invention.
As another alternative, the abnormal behavior is frequent abnormal access, and step 203 specifically includes:
step 3031, matching a decision strategy corresponding to frequent abnormal access from the abnormal decision strategies, wherein the decision strategy comprises an access frequency decision strategy and an access constraint decision strategy.
In the embodiment of the present invention, the exception decision policy may be configured with a plurality of decision policies, including but not limited to an access frequency decision policy and an access constraint decision policy, corresponding to the exception behavior of frequent exception access. Wherein, the access frequency decision strategy and the access constraint decision strategy need to be further processed according to the property and behavior of the container.
It should be noted that the decision policy corresponding to frequent abnormal access may further include other decision policies, which may be configured specifically according to actual situations, and this is not limited in the embodiment of the present invention.
Step 3032, through the access frequency judgment strategy and the access constraint judgment strategy, the abnormal behavior is judged to obtain a frequency result and a constraint result.
Specifically, the frequency judgment strategy is accessed, and the log of the abnormal behavior is judged to obtain a frequency result. For example: judging whether the time period of frequent access is a time period which is marked in advance and allows frequent access, if so, not processing; and if not, generating a frequency result of rejecting subsequent access requests of the process.
Specifically, the log of the abnormal behavior is judged by accessing a constraint judgment strategy, and a constraint result is obtained. For example: according to the set constraint rule, judging whether the process conforms to the constraint rule or not according to the importance degree of the process and the corresponding upstream service, and if so, generating a frequency result of access permission; if not, generating a frequency result of access refusal. The upstream service is a process which takes the process as a basic service.
It should be noted that the access frequency decision policy, the access constraint decision policy, and the constraint rule may also have other decision conditions, which is not limited in the embodiment of the present invention.
And 3033, generating a decision result according to the frequency result and the constraint result.
It should be noted that the decision result may also include other results, which is not limited in the embodiment of the present invention.
As another alternative, the abnormal behavior is to occupy too many resources, and step 203 specifically includes:
step 4031, a decision strategy corresponding to the excessive resource occupation is matched from the abnormal decision strategies, wherein the decision strategy comprises a system resource judgment strategy.
In the embodiment of the present invention, the abnormal decision policy may be configured with a plurality of decision policies corresponding to abnormal behaviors occupying too many resources, including but not limited to a system resource decision policy, and it is necessary to further perform decision processing according to the properties and behaviors of the container.
It should be noted that the decision policy corresponding to the occupation of too many resources may further include other decision policies, which may be configured specifically according to actual situations, and this is not limited in the embodiment of the present invention.
4032, through the system resource judgment strategy, the abnormal behavior is judged to obtain the resource result.
Specifically, the log of the abnormal behavior is judged through a system resource judgment strategy to obtain a resource result. For example: judging and detecting the utilization rate of a Central Processing Unit (CPU) and a memory at present, if the utilization rate is greater than or equal to a utilization rate threshold value, indicating that the risk of forming Denial of Service (DOS) attack exists, and generating a resource result of rejecting a subsequent process creation request; and if the utilization rate is less than the utilization rate threshold value, not processing. The utilization rate threshold may be set according to actual requirements, which is not limited in the embodiment of the present invention.
Further, the necessity of the created processes is judged, the useless processes are closed, and if the useless processes created by a certain container are larger than the set number threshold, the operation of closing the container or deleting the container is executed. The number threshold may be set according to actual requirements, which is not limited in the embodiment of the present invention.
It should be noted that the system resource decision policy may also have other decision conditions, which is not limited in the embodiment of the present invention.
4033, generating a decision result according to the resource result.
It is worth mentioning that the decision result may also include other results, such as: and closing the container or deleting the container, which is not limited in the embodiments of the present invention.
As another alternative, the exception behavior is access to a shared data volume. Specifically, when it is analyzed that an object having an access file application in the log is a file in the shared data volume, security levels of the access application container and the data volume container are read and compared, and when the two containers are in different security levels, the containers with high and low security levels can read the file in the shared data volume. This facilitates the high security level container to distribute data down; the low-level container can not write the files of the high-level container, and the high-level container can write the files of the low-level container, so that the data of the high-level container can be protected from being tampered, and the inconsistency of data distribution of the high-level container is avoided.
Alternatively, the abnormal behavior is frequent creation of files. Specifically, when a large number of files are created in a certain container in the log in a short time, the file size is scanned, if a large number of empty files are created, the node (Inode) attack is determined, the subsequent file creation request of the container is stopped, and all the empty files are deleted to release the Inode folder space. If the file is not an empty file, whether the container has actual needs for creating the files is analyzed, and whether the request for subsequently creating the files by the container is limited or not is determined according to actual conditions.
And step 204, performing exception handling on the container according to the decision result.
In the embodiment of the present invention, the decision result includes, but is not limited to, a Docker command and a service processing result, the Docker command includes, but is not limited to, a stop access (stop) command, a kill (kill) command, or a delete (rm) command, and the service processing result includes, but is not limited to, an authority result, an isolation result, a frequency result, a constraint result, and a resource result.
Specifically, exception handling includes executing a corresponding Docker command, performing task control based on Cgroups, priority allocation, resource statistics, resource restriction, and the like; setting file or directory access authority based on a Security system Security module (Linux Security Modules, LSM for short) access control framework: and registering the corresponding security module to the LSM by using a register _ security () function, and after the module is successfully loaded, performing access control operation.
In the embodiment of the present invention, the container with destructive abnormality, for example: and a malicious attack program is arranged in the container, the container with the control authority still having the malicious attack behavior is configured for many times through the access control mechanism, and the deleting command is executed. For high-cost resource-bearing containers, for example: the abnormal behavior is that the file is frequently accessed abnormally, occupies too much resources, is frequently created, and executes a kill command. Access containers for general exceptions, for example: the exception behavior is an improper access request and access to the shared data volume, executing a stop command.
As an alternative, the decision result includes a stop access command, an authority result and an isolation result, the authority result is to close the priority privilege, and the isolation result is to unmount and isolate the kernel folder. Specifically, in response to the stop access command, the access request of the container is stopped; closing the priority privilege of the container in response to the permission result; and responding to the isolation result, relieving the mount between the container and the kernel folder, and isolating the kernel folder.
In the embodiment of the invention, the problem in the Docker safety aspect can be solved, so that the isolation and the safety of the system are improved. The invention relates to a container security architecture design scheme which records and analyzes Docker behaviors and makes corresponding decision and processing. When the container is abnormal, the system may be adversely affected by improper access requests, frequent access to the database, occupation of excessive resources and other modes, and various actions of the Docker are recorded and analyzed, so that abnormal conditions can be found in advance and timely processed, normal operation of the system is ensured, and isolation and safety of the system are improved.
According to the technical scheme of the container abnormal behavior processing method, the acquired behavior log of the container is subjected to abnormal detection; if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy; and exception processing is carried out on the container according to the decision result, exception analysis can be carried out from the behavior of the container, and the accuracy of safety protection is improved, so that the confidentiality, the integrity, the reliability and the usability of information are ensured.
Example 4
Fig. 4 is a schematic structural diagram of a container abnormal behavior processing apparatus according to an embodiment of the present invention, the apparatus is configured to execute the container abnormal behavior processing method, and as shown in fig. 4, the apparatus includes: the log system unit 11, the abnormality detection unit 12, the abnormality decision unit 13, and the abnormality processing unit 14.
The log system unit 11 is configured to send the behavior log of the container to the abnormality detection unit.
The anomaly detection unit 12 is used for carrying out anomaly detection on the behavior log of the container; and if the abnormal behavior is detected, sending the abnormal behavior to an abnormal decision unit.
The exception decision unit 13 is configured to generate a corresponding decision result according to the exception behavior through the set exception decision policy, and send the decision result to the exception handling unit.
The exception handling unit 14 is configured to perform exception handling on the container according to the decision result.
In the embodiment of the present invention, the apparatus further includes: an acquisition unit 15.
The obtaining unit 15 is used for obtaining the behavior log of the container through the log collection tool and the log extraction command.
In the embodiment of the present invention, the anomaly detection unit 12 is specifically configured to perform anomaly detection on the behavior log through the constructed anomaly detection model to obtain a detection result, where the detection result includes an abnormal behavior or a normal behavior.
In the embodiment of the invention, the log extraction command comprises at least one of a log running command, an event command and a history command; the acquiring unit 15 is specifically configured to acquire behavior log source data through a log acquiring tool; extracting the running logs of all processes in the container from the behavior log source data through a running log command; extracting a system event log from the behavior log source data through an event command; extracting historical version information of the specified mirror image from the behavior log source data through a historical command; and generating a behavior log according to the running log, the system event log and the historical version information of the specified mirror image.
In the embodiment of the present invention, the apparatus further includes: a splicing unit 16 and a training unit 17.
The splicing unit 16 is configured to normalize and splice the obtained sample logs to obtain a sample vector, where the sample logs include a normal sample log carrying a normal tag and an abnormal sample log carrying an abnormal tag.
The training unit 17 is configured to train the deep learning model through the sample log to obtain an anomaly detection model.
In the embodiment of the invention, the abnormal behavior comprises an improper access request; the exception decision unit 13 is specifically configured to match a decision policy corresponding to the improper access request from the exception decision policies, where the decision policy includes an access stop command, an authority decision policy, and a file isolation decision policy; judging the abnormal behavior through the authority judgment strategy and the file isolation judgment strategy to obtain an authority result and an isolation result; and generating a decision result according to the access stopping command, the permission result and the isolation result.
In the embodiment of the present invention, the exception decision unit 13 is specifically configured to decide, through an authority decision policy, an operation authority of a container to which the exception behavior belongs, so as to obtain a corresponding authority result; and judging the file type corresponding to the abnormal behavior through a file isolation judgment strategy to obtain a corresponding isolation result.
In the embodiment of the present invention, the exception decision unit 13 is specifically configured to, if the operation permission of the container to which the exception behavior belongs is the priority privilege, match the permission result for closing the priority privilege through a permission decision policy.
In the embodiment of the present invention, the exception decision unit 13 is specifically configured to, if the file type corresponding to the exception behavior includes a system kernel, determine, through a file isolation decision policy, whether the container is illegally mounted to a kernel folder; and if so, generating an isolation result for removing the mount and isolating the kernel folder.
In the embodiment of the invention, the decision result comprises an access stopping command, an authority result and an isolation result, wherein the authority result is a priority closing privilege, and the isolation result is a kernel folder which is removed from mounting and isolated; the exception handling unit 14 is specifically configured to, in response to the stop access command, stop the access request of the container; closing the priority privilege of the container in response to the permission result; and responding to the isolation result, relieving the mount between the container and the kernel folder, and isolating the kernel folder.
According to the scheme of the embodiment of the invention, anomaly detection is carried out on the behavior log of the acquired container; if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy; and exception processing is carried out on the container according to the decision result, exception analysis can be carried out from the behavior of the container, and the accuracy of safety protection is improved, so that the confidentiality, the integrity, the reliability and the usability of information are ensured.
The systems, devices, modules or units illustrated in the above embodiments may be implemented by a computer chip or an entity, or by a product with certain functions. A typical implementation device is a computer device, which may be, for example, a personal computer, a laptop computer, a cellular telephone, a camera phone, a smart phone, a personal digital assistant, a media player, a navigation device, an email device, a game console, a tablet computer, a wearable device, or a combination of any of these devices.
Example 5
Embodiments of the present invention provide a computer device, including a memory and a processor, where the memory is used to store information including program instructions, and the processor is used to control execution of the program instructions, and the program instructions are loaded and executed by the processor to implement the steps of the above embodiment of the container abnormal behavior processing method, and specific descriptions may refer to the above embodiment of the container abnormal behavior processing method.
Reference is now made to fig. 5, which illustrates a schematic block diagram of a computer device 600 suitable for use in implementing embodiments of the present application.
As shown in fig. 5, the computer apparatus 600 includes a Central Processing Unit (CPU)601 which can perform various appropriate works and processes according to a program stored in a Read Only Memory (ROM)602 or a program loaded from a storage section 608 into a Random Access Memory (RAM) 603. In the RAM603, various programs and data necessary for the operation of the computer apparatus 600 are also stored. The CPU601, ROM602, and RAM603 are connected to each other via a bus 604. An input/output (I/O) interface 605 is also connected to bus 604.
The following components are connected to the I/O interface 605: an input portion 606 including a keyboard, a mouse, and the like; an output portion 607 including a Cathode Ray Tube (CRT), a liquid crystal feedback (LCD), and the like, and a speaker and the like; a storage section 608 including a hard disk and the like; and a communication section 609 including a network interface card such as a LAN card, a modem, or the like. The communication section 609 performs communication processing via a network such as the internet. The driver 610 is also connected to the I/O interface 605 as needed. A removable medium 611 such as a magnetic disk, an optical disk, a magneto-optical disk, a semiconductor memory, or the like is mounted on the drive 610 as necessary, so that a computer program read out therefrom is mounted as necessary on the storage section 608.
Example 6
In particular, according to an embodiment of the present invention, the processes described above with reference to the flowcharts may be implemented as computer software programs. For example, embodiments of the invention include a computer program product comprising a computer program tangibly embodied on a machine-readable medium, the computer program comprising program code for performing the method illustrated in the flow chart. In such an embodiment, the computer program may be downloaded and installed from a network through the communication section 609, and/or installed from the removable medium 611.
Computer-readable media, including both permanent and non-permanent, removable and non-removable media, may implement the information storage by any method or technology. The information may be computer readable instructions, data structures, modules of a program, or other data. Examples of computer storage media include, but are not limited to, phase change memory (PRAM), Static Random Access Memory (SRAM), Dynamic Random Access Memory (DRAM), other types of Random Access Memory (RAM), Read Only Memory (ROM), Electrically Erasable Programmable Read Only Memory (EEPROM), flash memory or other memory technology, compact disc read only memory (CD-ROM), Digital Versatile Discs (DVD) or other optical storage, magnetic cassettes, magnetic tape magnetic disk storage or other magnetic storage devices, or any other non-transmission medium that can be used to store information that can be accessed by a computing device. As defined herein, a computer readable medium does not include a transitory computer readable medium such as a modulated data signal and a carrier wave.
For convenience of description, the above devices are described as being divided into various units by function, and are described separately. Of course, the functionality of the units may be implemented in one or more software and/or hardware when implementing the present application.
The present invention is described with reference to flowchart illustrations and/or block diagrams of methods, apparatus (systems), and computer program products according to embodiments of the invention. It will be understood that each flow and/or block of the flow diagrams and/or block diagrams, and combinations of flows and/or blocks in the flow diagrams and/or block diagrams, can be implemented by computer program instructions. These computer program instructions may be provided to a processor of a general purpose computer, special purpose computer, embedded processor, or other programmable data processing apparatus to produce a machine, such that the instructions, which execute via the processor of the computer or other programmable data processing apparatus, create means for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be stored in a computer-readable memory that can direct a computer or other programmable data processing apparatus to function in a particular manner, such that the instructions stored in the computer-readable memory produce an article of manufacture including instruction means which implement the function specified in the flowchart flow or flows and/or block diagram block or blocks.
These computer program instructions may also be loaded onto a computer or other programmable data processing apparatus to cause a series of operational steps to be performed on the computer or other programmable apparatus to produce a computer implemented process such that the instructions which execute on the computer or other programmable apparatus provide steps for implementing the functions specified in the flowchart flow or flows and/or block diagram block or blocks.
It should also be noted that the terms "comprises," "comprising," or any other variation thereof, are intended to cover a non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements does not include only those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus. Without further limitation, an element defined by the phrase "comprising an … …" does not exclude the presence of other like elements in a process, method, article, or apparatus that comprises the element.
According to the technical scheme, the data acquisition, storage, use, processing and the like meet relevant regulations of national laws and regulations.
As will be appreciated by one skilled in the art, embodiments of the present application may be provided as a method, system, or computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, and the like) having computer-usable program code embodied therein.
The application may be described in the general context of computer-executable instructions, such as program modules, being executed by a computer. Generally, program modules include routines, programs, objects, components, data structures, etc. that perform particular tasks or implement particular abstract data types. The application may also be practiced in distributed computing environments where tasks are performed by remote processing devices that are linked through a communications network. In a distributed computing environment, program modules may be located in both local and remote computer storage media including memory storage devices.
The embodiments in the present specification are described in a progressive manner, and the same and similar parts among the embodiments are referred to each other, and each embodiment focuses on the differences from the other embodiments. In particular, for the system embodiment, since it is substantially similar to the method embodiment, the description is simple, and for the relevant points, reference may be made to the partial description of the method embodiment.
The above description is only an example of the present application and is not intended to limit the present application. Various modifications and changes may occur to those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application should be included in the scope of the claims of the present application.

Claims (14)

1. A method for handling container abnormal behavior, the method comprising:
performing abnormity detection on the acquired behavior log of the container;
if the abnormal behavior is detected, generating a corresponding decision result according to the abnormal behavior through a set abnormal decision strategy;
and carrying out exception handling on the container according to the decision result.
2. The container abnormal behavior processing method according to claim 1, further comprising, before the performing the abnormal detection on the acquired behavior log of the container:
and acquiring a behavior log of the container through a log acquisition tool and a log extraction command.
3. The container abnormal behavior processing method according to claim 1, wherein the performing abnormal detection on the acquired behavior log of the container includes:
and carrying out anomaly detection on the behavior log through the constructed anomaly detection model to obtain a detection result, wherein the detection result comprises an abnormal behavior or a normal behavior.
4. The container abnormal behavior processing method according to claim 2, wherein the log extraction command includes at least one of a run log command, an event command, and a history command;
the acquiring the behavior log of the container through the log collection tool and the log extraction command comprises the following steps:
acquiring behavior log source data through a log acquisition tool;
extracting the running logs of all processes in the container from the behavior log source data through the running log command;
extracting a system event log from the behavior log source data through the event command;
extracting historical version information of the specified mirror image from the behavior log source data through the historical command;
and generating the behavior log according to the running log, the system event log and the historical version information of the specified mirror image.
5. The container abnormal behavior processing method according to claim 3, wherein before the performing abnormal detection on the behavior log through the constructed abnormal detection model to obtain a detection result, the detection result includes an abnormal behavior or a normal behavior, the method further includes:
normalizing and splicing the obtained sample logs to obtain a sample vector, wherein the sample logs comprise normal sample logs carrying normal labels and abnormal sample logs carrying abnormal labels;
and training the deep learning model through the sample log to obtain an anomaly detection model.
6. The container abnormal behavior processing method according to claim 1, wherein the abnormal behavior includes an improper access request;
the step of generating a corresponding decision result according to the abnormal behavior by the set abnormal decision strategy comprises the following steps:
matching a decision strategy corresponding to the improper access request from the abnormal decision strategies, wherein the decision strategy comprises an access stopping command, a permission decision strategy and a file isolation decision strategy;
judging the abnormal behavior through the authority judgment strategy and the file isolation judgment strategy to obtain an authority result and an isolation result;
and generating a decision result according to the access stopping command, the permission result and the isolation result.
7. The container abnormal behavior processing method according to claim 6, wherein the determining the abnormal behavior through the permission determination policy and the file isolation determination policy to obtain a permission result and an isolation result comprises:
judging the operation authority of the container to which the abnormal behavior belongs through the authority judgment strategy to obtain a corresponding authority result;
and judging the file type corresponding to the abnormal behavior through the file isolation judgment strategy to obtain a corresponding isolation result.
8. The container abnormal behavior processing method according to claim 7, wherein the determining, by the permission determination policy, the operation permission of the container to which the abnormal behavior belongs to obtain a corresponding permission result includes:
and if the operation authority of the container to which the abnormal behavior belongs is the priority privilege, matching the authority result of closing the priority privilege through the authority judgment strategy.
9. The container abnormal behavior processing method according to claim 7, wherein the determining a file type corresponding to the abnormal behavior by the file isolation determination policy to obtain a corresponding isolation result comprises:
if the file type corresponding to the abnormal behavior comprises a system kernel, judging whether the container is mounted to a kernel folder in a violation manner or not according to the file isolation judgment strategy;
and if so, generating an isolation result for removing the mount and isolating the kernel folder.
10. The container abnormal behavior processing method according to claim 1, wherein the decision result includes a stop access command, an authority result and an isolation result, the authority result is a close priority privilege, and the isolation result is a release of mount and isolation of a kernel folder;
the exception handling of the container according to the decision result comprises:
stopping the access request of the container in response to the stop access command; closing the priority privilege of the container in response to the permission result; and responding to the isolation result, relieving the mount between the container and the kernel folder, and isolating the kernel folder.
11. An apparatus for handling abnormal behavior of a container, the apparatus comprising: the system comprises a log system unit, an abnormality detection unit, an abnormality decision unit and an abnormality processing unit;
the log system unit is used for sending the behavior log of the container to the abnormality detection unit;
the abnormality detection unit is used for performing abnormality detection on the behavior log of the container; if the abnormal behavior is detected, the abnormal behavior is sent to the abnormal decision unit;
the abnormal decision unit is used for generating a corresponding decision result according to an abnormal behavior through a set abnormal decision strategy and sending the decision result to the abnormal processing unit;
and the exception handling unit is used for carrying out exception handling on the container according to the decision result.
12. A computer-readable medium, on which a computer program is stored, which, when being executed by a processor, carries out a method of handling abnormal behavior of a container according to any one of claims 1 to 10.
13. A computer device comprising a memory for storing information comprising program instructions and a processor for controlling the execution of the program instructions, wherein the program instructions when loaded and executed by the processor implement the method of container exception behaviour handling according to any one of claims 1 to 10.
14. A computer program product comprising computer programs/instructions, characterized in that the computer programs/instructions, when executed by a processor, implement the container abnormal behavior handling method of any one of claims 1 to 10.
CN202210695561.2A 2022-06-20 2022-06-20 Container abnormal behavior processing method and device Pending CN115080291A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202210695561.2A CN115080291A (en) 2022-06-20 2022-06-20 Container abnormal behavior processing method and device

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202210695561.2A CN115080291A (en) 2022-06-20 2022-06-20 Container abnormal behavior processing method and device

Publications (1)

Publication Number Publication Date
CN115080291A true CN115080291A (en) 2022-09-20

Family

ID=83254101

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202210695561.2A Pending CN115080291A (en) 2022-06-20 2022-06-20 Container abnormal behavior processing method and device

Country Status (1)

Country Link
CN (1) CN115080291A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116431276A (en) * 2023-02-28 2023-07-14 港珠澳大桥管理局 Container security protection method, device, computer equipment and storage medium

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116431276A (en) * 2023-02-28 2023-07-14 港珠澳大桥管理局 Container security protection method, device, computer equipment and storage medium

Similar Documents

Publication Publication Date Title
US10936717B1 (en) Monitoring containers running on container host devices for detection of anomalies in current container behavior
CN114584405B (en) Electric power terminal safety protection method and system
US10853488B2 (en) System and method for a security filewall system for protection of an information handling system
CN101777062B (en) Context-aware real-time computer-protection systems and methods
US20220050897A1 (en) Microservice adaptive security hardening
US10341355B1 (en) Confidential malicious behavior analysis for virtual computing resources
US8209758B1 (en) System and method for classifying users of antivirus software based on their level of expertise in the field of computer security
US9813450B1 (en) Metadata-based verification of artifact quality policy compliance
US8214904B1 (en) System and method for detecting computer security threats based on verdicts of computer users
CN107341401A (en) A kind of malicious application monitoring method and equipment based on machine learning
EP3350741B1 (en) Detecting software attacks on processes in computing devices
CN102710598A (en) System and method for reducing security risk in computer network
US9444829B1 (en) Systems and methods for protecting computing resources based on logical data models
CN110020687B (en) Abnormal behavior analysis method and device based on operator situation perception portrait
CN111159762B (en) Subject credibility verification method and system under mandatory access control
CN111489166A (en) Risk prevention and control method, device, processing equipment and system
WO2014210144A1 (en) Systems and methods for directing application updates
CN114091042A (en) Risk early warning method
CN115080291A (en) Container abnormal behavior processing method and device
WO2020086178A1 (en) Systems and methods for using an application control prioritization index
Priyanka et al. Fundamentals of wireless sensor networks using machine learning approaches: Advancement in big data analysis using Hadoop for oil pipeline system with scheduling algorithm
CN117235797A (en) Intelligent management method, device, equipment and system for big data resource access
CN117708880A (en) Intelligent security processing method and system for banking data
US20240056475A1 (en) Techniques for detecting living-off-the-land binary attacks
CN112572522A (en) Early warning method and device for axle temperature fault of vehicle bearing

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination