CN115809120A - Attack simulation detection method, system, medium and electronic device for Docker container - Google Patents

Attack simulation detection method, system, medium and electronic device for Docker container Download PDF

Info

Publication number
CN115809120A
CN115809120A CN202310148712.7A CN202310148712A CN115809120A CN 115809120 A CN115809120 A CN 115809120A CN 202310148712 A CN202310148712 A CN 202310148712A CN 115809120 A CN115809120 A CN 115809120A
Authority
CN
China
Prior art keywords
attack
container
attack simulation
simulation
target container
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310148712.7A
Other languages
Chinese (zh)
Inventor
聂君
吴佳波
宫华
孟繁强
张游知
张践鳌
姚逸
石天浩
陈瑜
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing Zhiqi'an Technology Co ltd
Original Assignee
Beijing Zhiqi'an Technology Co ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing Zhiqi'an Technology Co ltd filed Critical Beijing Zhiqi'an Technology Co ltd
Priority to CN202310148712.7A priority Critical patent/CN115809120A/en
Publication of CN115809120A publication Critical patent/CN115809120A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

The application relates to an attack simulation detection method, a system, a medium and electronic equipment of a Docker container, wherein the method comprises the following steps: acquiring an attack simulation task; releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a leak; and controlling the worker container to attack the target container, and implanting webshell into the target container according to the vulnerability, so that the business server simulates an attack behavior based on the webshell, and the security device detects the attack behavior. By adopting the embodiment of the application, the safety equipment can detect the simulated attack behavior, and then can detect the simulated attack behavior in time when the attack behavior exists under the real condition, so that the potential safety hazard of the container is reduced.

Description

Attack simulation detection method, system, medium and electronic device for Docker container
Technical Field
The present application relates to the field of computer security management technologies, and in particular, to a method, a system, a medium, and an electronic device for detecting an attack simulation of a Docker container.
Background
Docker is a lightweight container in which applications can be conveniently built and run. The Docker can rapidly run the application, migrate the application, rapidly integrate and rapidly deploy tasks, and improve the resource utilization rate of the system, so that more and more enterprises can cloud the application to achieve the purposes of rapid online application and convenient operation and maintenance. Therefore, the Docker security is also gradually valued, and how to quickly detect whether the Docker environment in the current enterprise environment is secure and whether corresponding attacks can be found is also important.
Because the safety life cycle of the container is short, the number of processes in the container is small, a certain time is needed for the safety equipment to detect the attack behavior, and the attack behavior is often detected by depending on a process chain, if a temporary container is started to perform attack simulation, or an agent required for executing the attack simulation is directly installed in the container and an agent starting task is utilized, the safety equipment can possibly not detect the simulated attack behavior, so that the attack behavior can not be detected in time under the real condition of the safety equipment, and further the potential safety hazard exists in the container.
Disclosure of Invention
In order to enable the security device to detect the attack behavior in real time and further reduce the potential safety hazard of the container, the application provides an attack simulation detection method and system of a Docker container, a storage medium and an electronic device.
In a first aspect of the present application, a method for detecting an attack simulation of a Docker container is provided, which adopts the following technical scheme:
acquiring an attack simulation task;
releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a bug;
and controlling the worker container to attack the target container, and implanting webshell into the target container according to the vulnerability, so that the business server simulates an attack behavior based on the webshell, and the security device detects the attack behavior.
By adopting the technical scheme, the target container with the loophole is attacked by controlling the worker container, the webshell is implanted in the target container by utilizing the loophole, so that the service server carries out attack simulation based on the webshell, all father processes simulating the attack behaviors are all the service servers, all the attack behaviors are simulated real hacking, the simulated attack behaviors can be detected by the safety equipment, the capability of detecting the attack behaviors can be known, the corresponding attack behaviors can be detected by the safety equipment under the real condition, and the potential safety hazard of the container is further reduced.
Optionally, before releasing two resident containers according to the attack simulation task, the method further includes: and uploading the mirror images of the two resident containers to a computer equipment host of the installation agent according to the attack simulation task.
By adopting the technical scheme, the container mirror image comprises the packaged application program and the dependency relationship thereof as well as information about the process running during starting, before the container is released, the mirror images of the two resident containers are uploaded to the computer equipment host of the installation agent, and the container mirror image can provide a mirror image environment depended on by the two resident containers.
Optionally, after the attack simulation task is obtained, the method further includes: and controlling the target container through a docker api, and deploying a war package with a vulnerability in the target container.
By adopting the technical scheme, the war packet with the bug is deployed in the target container, so that the worker container can attack the target container according to the bug, and the father process for simulating the attack is a tomcat type service server.
Optionally, after the two resident containers are released according to the attack simulation task, the method further includes: continuously judging whether the war packet with the bug is deployed successfully or not; if the deployment is successful, executing a step of controlling the worker container to attack the target container; the method further comprises the following steps: and if the deployment is not successful, ending the attack simulation task.
By adopting the technical scheme, whether the war packet with the bug is successfully deployed or not is continuously judged, and the two resident containers are controlled to carry out simulated attack after the war packet with the bug is successfully deployed, so that the success rate of executing the attack simulation task is improved.
Optionally, the controlling the worker container to attack the target container includes: controlling tomcat service in the target container to decompress the war packet and starting loophole service corresponding to the war packet; and controlling the worker container to attack the loophole service corresponding to the war packet in the target container.
By adopting the technical scheme, the tomcat service in the target container is controlled to decompress the war packet, so that the bug service corresponding to the war packet is executed, the worker container can attack the bug service, and the attack-simulated parent process is a tomcat type service server.
Optionally, the controlling the worker container to attack the target container, and implanting webshell into the target container according to the vulnerability, so that the service server simulates an attack behavior based on the webshell, so that the security device detects the attack behavior, includes: controlling the worker container to attack the target container, implanting webshell into the target container according to the vulnerability, so that a business server performs attack simulation based on the webshell, and determining that attack simulation attack characteristics exist in security equipment by the business server, and determining that the security equipment has the capability of detecting the attack simulation so that the security equipment detects the attack behavior; the method further comprises the following steps: and if the attack characteristics do not exist in the safety equipment, determining that the safety equipment does not have the capability of detecting the attack simulation.
By adopting the technical scheme, the attack simulation is carried out on the basis of webshell through the service server, so that all father processes simulating the attack behaviors are all service servers, all the attack behaviors are simulated real hacker attacks, the safety equipment can detect the simulated attack behaviors, and further when the attack behaviors exist under the real condition, the safety equipment can timely detect the attack behaviors, so that the potential safety hazard of the container is reduced.
Optionally, after determining whether the security device has the capability of detecting the attack simulation, the method further includes: if the safety equipment has the capability of detecting the attack simulation, acquiring the container information of the attack simulation sent by the service server; and if the safety equipment does not have the capability of detecting the attack simulation, generating prompt information of potential safety hazard of the safety equipment, wherein the prompt information comprises the attack characteristics.
By adopting the technical scheme, if the safety equipment does not have the capability of detecting the attack simulation, the potential safety hazard exists in the system of the user, and the user is prompted to detect the safety equipment in time.
In a second aspect of the present application, there is provided an attack simulation detection system for a Docker container, the system comprising:
the task acquisition module is used for acquiring an attack simulation task;
the container release module is used for releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a leak;
and the attack simulation module is used for controlling the worker container to attack the target container and implanting webshell into the target container according to the vulnerability so as to enable the business server to simulate an attack behavior based on the webshell and enable the security device to detect the attack behavior.
In a third aspect of the present application, a computer storage medium is provided that stores a plurality of instructions adapted to be loaded by a processor and to perform the above-mentioned method steps.
In a fourth aspect of the present application, there is provided an electronic device comprising: a processor and a memory; wherein the memory stores a computer program adapted to be loaded by the processor and to perform the above-mentioned method steps.
In summary, the present application includes at least one of the following beneficial technical effects:
1. according to the method, all parent processes simulating the attack behaviors are the tomcat type service servers, so that all the attack behaviors are simulated real hacker attacks, the safety equipment can detect the simulated attack behaviors, the capability of detecting the attack behaviors is known, the corresponding attack behaviors can be detected by the safety equipment under the real condition, and the potential safety hazard of a container is reduced.
2. According to the method and the device, the agent controls tomcat service in the target container to decompress the war packet, so that the bug service corresponding to the war packet is executed, the worker container can attack the bug service, and the attack-simulated parent process is a tomcat type service server.
Drawings
In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings used in the description of the embodiments or the prior art will be briefly described below, it is obvious that the drawings in the following description are only some embodiments of the present application, and for those skilled in the art, other drawings can be obtained according to the drawings without creative efforts.
Fig. 1 is a schematic flowchart of an attack simulation detection method for a Docker container according to an embodiment of the present disclosure;
FIG. 2 is a schematic diagram of an agent release resident container provided in an embodiment of the present application;
FIG. 3 is a diagram illustrating a process connection before and after optimization according to an embodiment of the present disclosure;
fig. 4 is a schematic diagram illustrating an implementation principle of an attack simulation detection method for a Docker container according to an embodiment of the present application;
fig. 5 is a schematic diagram of an attack simulation detection system module of a Docker container according to an embodiment of the present application;
fig. 6 is a schematic structural diagram of an electronic device according to an embodiment of the present application.
Description of reference numerals: 1. a task obtaining module; 2. a container release module; 3. an attack simulation module; 1000. an electronic device; 1001. a processor; 1002. a communication bus; 1003. a user interface; 1004. a network interface; 1005. a memory.
Detailed Description
In order to make those skilled in the art better understand the technical solutions in the present specification, the technical solutions in the embodiments of the present specification will be clearly and completely described below with reference to the drawings in the embodiments of the present specification, and it is obvious that the described embodiments are only a part of the embodiments of the present application, and not all of the embodiments.
In the description of the embodiments of the present application, the words "exemplary," "for example," or "for instance" are used to indicate instances, or illustrations. Any embodiment or design described herein as "exemplary," "e.g.," or "e.g.," is not to be construed as preferred or advantageous over other embodiments or designs. Rather, use of the words "illustrative," "such as," or "for example" are intended to present relevant concepts in a concrete fashion.
In the description of the embodiments of the present application, the term "and/or" is only one kind of association relationship describing an associated object, and means that three relationships may exist, for example, a and/or B may mean: a exists alone, B exists alone, and A and B exist at the same time. In addition, the term "plurality" means two or more unless otherwise specified. For example, the plurality of systems refers to two or more systems, and the plurality of screen terminals refers to two or more screen terminals. Furthermore, the terms "first", "second" and "first" are used for descriptive purposes only and are not to be construed as indicating or implying relative importance or to implicitly indicate the indicated technical feature. Thus, a feature defined as "first" or "second" may explicitly or implicitly include one or more of that feature. The terms "comprising," "including," "having," and variations thereof mean "including, but not limited to," unless expressly specified otherwise.
Docker is a light-weight virtualization technology, is an open-source application container operation environment building platform, and can enable developers to pack and apply to a portable container in a convenient mode and then install the portable container on any server running Linux or Windows and other systems. Compared with the traditional virtual machine, the Docker container provides a light-weight virtualization mode, is convenient to install and is fast in starting and stopping speed. Therefore, more and more enterprises can cloud the application to achieve the purposes of quick online application and convenient operation and maintenance. Therefore, the Docker security is also gradually paid attention to, and how to rapidly detect whether the Docker environment in the current enterprise environment is secure and whether corresponding attacks can be found is important.
Due to the fact that the container is short in security life cycle and the number of processes in the container is small, a certain time is needed for the security device to detect the attack, and attack detection is often carried out depending on the behavior of a process chain. If the temporary container is started to perform attack simulation, the attack simulation finishes the destruction processing of the container, and the attack behavior can be detected in insufficient time by the safety equipment; or if the agent required for executing the attack simulation is directly installed in the container, the agent is used for starting the task, so that the parent process of the task is the agent, and the security device can also not detect the attack behavior, so that the container is attacked, and the container is influenced by security.
The following detailed description is provided to the technical solutions of the present application and how to solve the above technical problems with the technical solutions of the present application in combination with specific embodiments, and the following embodiments may be combined with each other, and are not repeated in some embodiments for the same or similar probabilities or processes, and the embodiments of the present application will be described below with reference to the accompanying drawings.
In one embodiment, as shown in fig. 1, a schematic flow chart of an attack simulation detection method for a Docker container is specifically provided. The method is mainly applied to agents installed in a computer equipment host, and the specific method comprises the following steps:
step 10: acquiring an attack simulation task;
specifically, in the embodiment of the present application, an agent may be understood as an intelligent software, an intelligent device, an intelligent computer system, and the like having an intelligent function. The security device may be understood in the embodiments of the present application as follows: the device for detecting the presence of an attack in a computer device may, for example, detect that the computer device is executing a malicious command.
Further, when the attack simulation behavior is detected, if the agent is installed in the temporary container, the temporary container destroys the attack behavior after the attack simulation is completed, which may result in that the security device does not have sufficient time to detect the attack behavior. Or the agent is directly installed in the resident container, the parent process of the attack simulation is also the agent, a certain time is needed for the safety device to detect the attack behavior due to the small number of container processes, and the safety device often depends on a process chain to detect the attack behavior, so that the attack behavior can not be detected in time. Therefore, in the embodiment of the application, the agent is installed in the host or a privileged container with special authority, so that the parent process for attacking simulation is not the agent any more, but the parent process for attacking simulation is a service server like tomcat through the process of vulnerability environment deployment and webshell implantation.
Illustratively, the attack simulation task may be understood as various attack tasks for simulating real hacking behaviors by a person in the embodiment of the present application, for example, a container escapes, and the agent on the host acquires the attack simulation task issued by the person.
On the basis of the above embodiment, after the step of obtaining the attack simulation task, the method further includes the following steps:
step 101: and uploading the mirror images of the two resident containers to a computer equipment host for installing the agent according to the attack simulation task.
Specifically, the container image may refer to a container image that contains packaged applications and their dependencies, as well as information about processes running at startup, and a user may provide instructions in some special formats to create the container image according to actual situations. After the agent receives the attack simulation task, the agent starts two resident containers, namely a worker container and a target container, the agent downloads mirror images of the two resident containers into a host of the computer equipment, when the two resident containers are started, the agent finishes the introduction of the mirror images on the host through a docker api, and provides a mirror image environment depended on for the two resident containers.
Step 102: and controlling the target container through the docker api, and deploying a war package with a vulnerability in the target container.
Specifically, the war package may be a directly running web module, the war package may be placed in webapps under tomcat, and when the tomcat server is started, the war package may decompress the source code to perform automatic deployment. The war package in the embodiment of the application is a web module with a vulnerability, and the war package is deployed on tomcat in a target container, so that a web application with the vulnerability can be started.
Illustratively, the agent controls the target container through the docker api, any war packet with a bug is deployed in the target container, so that the worker container can attack the target container according to the war packet with the bug, and a parent process simulated by the attack is a tomcat business server.
Step 20: and releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a leak.
Specifically, please refer to fig. 2, which is a schematic diagram of agent releasing a resident container, when a person clicks a start container, the agent receives an instruction to start the container, and then releases and operates two containers, namely a worker container and a target container, through a docker api.
Furthermore, the agent controls the target container through the docker api, deploys the war packet with the vulnerability to the target container, and after the war packet with the vulnerability is deployed to the target container, whether the deployment of the war packet is successful needs to be continuously judged, namely whether the deployed war packet can be accessed within a certain time is continuously judged, if the deployed war packet can be accessed, namely the deployment of the war packet is successful, the step of controlling the worker container to attack the target container is executed, so that the execution success rate of the attack simulation task is improved; if the access is not successful, the deployment of the war packet is failed, and the current attack simulation task is ended.
And step 30: and controlling the worker container to attack the target container, implanting webshell into the target container according to the vulnerability, so that the service server simulates an attack behavior based on the webshell, and the security device detects the attack behavior.
In particular, webshell refers to a malicious script frequently used by hackers, and aims to obtain the authority of executing operations on a server, such as executing system commands, stealing user data, deleting web pages, modifying homepages, and the like. Because a war packet with a leak is deployed in the target container, the agent controls the worker container through the docker api, controls the worker container to attack the target container with the leak, and implants the webshell in the target container by utilizing the leak, so that the service server performs attack simulation based on the webshell, and the real hacking behavior can be simulated.
On the basis of the embodiment, the method for detecting the attack simulation of the security device comprises the steps of controlling a worker container to attack a target container, implanting webshell into the target container according to a vulnerability, and enabling a service server to perform attack simulation based on the webshell to determine whether the security device has the capability of detecting the attack simulation, and further comprises the following steps:
step 301: controlling tomcat service in the target container to decompress the war packet and starting vulnerability service corresponding to the war packet; controlling the worker container to attack the bug service corresponding to the war packet in the target container;
specifically, the tomcat is a web application server capable of running a web application, when a war packet with a bug is successfully deployed in a target container, the agent controls the target container to run and then automatically starts a tomcat service, and after receiving the war packet, the tomcat service automatically decompresses the war packet and starts a bug service corresponding to the war packet. For example, a web page with a malicious command written in a war packet, puts the war packet with the malicious command into a web directory of a tomcat server, so as to decompress the war packet and execute the vulnerability service of the corresponding malicious command in the war packet. and the agent controls the worker container to attack the bug service corresponding to the war packet in the target container so as to ensure that the father process of the attack simulation is a tomcat type service server.
Step 302: and implanting webshell into the target container according to the vulnerability so that the business server performs attack simulation based on the webshell to enable the security equipment to detect the attack behavior.
Specifically, in order to ensure that the process chain of the attack simulation in the container conforms to the real hacking behavior, before the attack simulation behavior such as container escape is performed, the agent implants the webshell in the target container according to the bug existing in the target container, and the worker container can execute any system command by accessing the webshell implanted in the target container.
Please refer to fig. 3, which is a schematic diagram before and after process connection optimization according to an embodiment of the present application, in the embodiment of the present application, a business server performs attack simulation based on webshell, at this time, a process chain in a container completely simulates a real business scenario, and a parent process of all attack behaviors is a business server and is no longer an agent, so that the process chain is no longer a malicious instruction initiated by the agent but is initiated by the business server. The service server initiates attack simulation by utilizing the vulnerability, accords with the process of normal service intrusion, and the attack behavior can be detected by the safety equipment, so that the safety equipment can detect the attack behavior in time, and the potential safety hazard of the container is further reduced.
Further, each attack simulation task comprises a corresponding attack characteristic, for example, the attack characteristic is container escape, which is a very harmful attack means, and when an attacker completes the container escape, the attacker can directly cause damage to the host, and possibly damage the cluster security. After the attack simulation task is successfully executed, the business server sends the attack characteristics to the agent, the agent inquires whether the corresponding attack characteristics exist in a log system of the user after receiving the attack characteristics, if the corresponding attack characteristics exist in the log system of the user, the safety equipment of the user has the capacity of detecting the escape of the container, and if the corresponding attack characteristics do not exist in the log system of the user, the safety equipment of the user does not have the capacity of detecting the escape of the container. According to the method and the device, all father processes simulating the attack behaviors are the service servers, so that all the attack behaviors are simulated real hacking, the safety device can detect the simulated attack behaviors, the safety device can detect the ability of detecting the attack behaviors, the safety device can detect the corresponding attack behaviors under the real condition, and the potential safety hazard of the container is reduced.
On the basis of the above embodiment, after the step of controlling the worker container to attack the target container, and implanting webshell in the target container according to the vulnerability, so that the service server simulates an attack behavior based on the webshell, so that the security device detects the attack behavior, the method may further include the following steps:
if the security device does not have the capability of detecting the attack simulation, it indicates that the security device may not detect the attack behavior in time when the attack behavior really exists, which indicates that the user system has a potential safety hazard. After carrying out various attack simulations, if the security device in the user system does not have the capability of detecting corresponding attack simulations for many times, the service server generates an attack simulation report according to the attack simulation results for many times, wherein the attack simulation report comprises attack characteristics and corresponding attack simulation results, and the attack simulation report is reported to the user terminal so as to prompt the user to monitor the security device in time and find out a vulnerability. And if the safety equipment has the capability of detecting the attack simulation, the business server acquires the container information of the attack simulation and sends the container information to the agent. The container information may include, but is not limited to, a container ID, a container name, and the like.
Referring to fig. 4, as an alternative embodiment, an implementation principle of an attack simulation detection method for a Docker container may include: an agent on a host receives an attack simulation task, the agent controls a target container through a docker api, a war packet with a leak is deployed in the target container, the agent controls the target container to automatically start tomcat service in the target container after running, the tomcat service automatically decompresses a web packet after receiving the war packet and starts a leak service corresponding to the war packet, the agent controls a worker container to attack the target container by using the leak, webshell is implanted into the target container, subsequent container and other attack simulation tasks are executed based on the webshell implanted into the target container, all father processes simulating attack behaviors are service servers, all attack behaviors are simulated real hacker attacks, the safety equipment can detect the simulated attack behaviors, and the safety equipment can detect the attack behaviors when the attack behaviors exist in real conditions, so that potential safety hazards of the container are reduced.
The following are embodiments of the system of the present application that may be used to implement embodiments of the method of the present application. For details not disclosed in the embodiments of the system of the present application, reference is made to embodiments of the method of the present application.
Referring to fig. 5, a schematic diagram of an attack simulation detection system module for a Docker container according to an embodiment of the present disclosure is shown, where the attack simulation detection system for a Docker container may include: the system comprises a task acquisition module 1, a container release module 2 and an attack simulation module 3, wherein:
the task obtaining module 1 is used for obtaining an attack simulation task;
the container release module 2 is used for releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a bug;
and the attack simulation module 3 is used for controlling the worker container to attack the target container, implanting webshell into the target container according to the vulnerability, so that the service server simulates an attack behavior based on the webshell, and the security device detects the attack behavior.
On the basis of the foregoing embodiments, as an optional embodiment, an attack simulation detection system for a Docker container may further include: mirror image upload module, war package deployment judge module and information prompt module, wherein:
the mirror image uploading module is used for uploading mirror images of the two resident containers to a host computer for installing the agent according to the attack simulation task;
the war packet deployment module is used for controlling the target container through the docker api and deploying a war packet with a vulnerability in the target container;
the war packet deployment judging module is used for continuously judging whether the war packet with the bug is successfully deployed; if the deployment is successful, executing a step of controlling the worker container to attack the target container; the method further comprises the following steps: if the deployment is not successful, ending the attack simulation task;
the information prompting module is used for acquiring the container information of the attack simulation sent by the service server if the security equipment has the capability of detecting the attack simulation; and if the safety equipment does not have the capability of detecting the attack simulation, generating prompt information of potential safety hazard of the safety equipment, wherein the prompt information comprises the attack characteristics.
It should be noted that: in the system provided in the foregoing embodiment, when the functions of the system are implemented, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules as needed, that is, the internal structure of the device is divided into different functional modules, so as to complete all or part of the functions described above. In addition, the system and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments in detail and are not described herein again.
An embodiment of the present application further provides a computer storage medium, where the computer storage medium may store multiple instructions, and the instructions are suitable for being loaded by a processor and being executed by the method for detecting an attack simulation of a Docker container according to the foregoing embodiment, and a specific execution process may refer to the specific description of the embodiment shown in fig. 1, which is not described herein again
Please refer to fig. 6, which provides a schematic structural diagram of an electronic device according to an embodiment of the present disclosure. As shown in fig. 6, the electronic device 1000 may include: at least one processor 1001, at least one network interface 1004, a user interface 1003, memory 1005, at least one communication bus 1002.
The communication bus 1002 is used to implement connection communication among these components.
The user interface 1003 may include a Display screen (Display) and a Camera (Camera), and the optional user interface 1003 may also include a standard wired interface and a wireless interface.
The network interface 1004 may optionally include a standard wired interface, a wireless interface (e.g., WI-FI interface), among others.
Processor 1001 may include one or more processing cores, among other things. The processor 1001 connects various parts throughout the server 1000 using various interfaces and lines, and performs various functions of the server 1000 and processes data by executing or executing instructions, programs, code sets, or instruction sets stored in the memory 1005, and calling data stored in the memory 1005. Alternatively, the processor 1001 may be implemented in at least one hardware form of Digital Signal Processing (DSP), field-Programmable Gate Array (FPGA), and Programmable Logic Array (PLA). The processor 1001 may integrate one or more of a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), a modem, and the like. Wherein, the CPU mainly processes an operating system, a user interface, an application program and the like; the GPU is used for rendering and drawing the content required to be displayed by the display screen; the modem is used to handle wireless communications. It is understood that the modem may not be integrated into the processor 1001, but may be implemented by a single chip.
The Memory 1005 may include a Random Access Memory (RAM) or a Read-Only Memory (Read-Only Memory). Optionally, the memory 1005 includes a non-transitory computer-readable medium. The memory 1005 may be used to store an instruction, a program, code, a set of codes, or a set of instructions. The memory 1005 may include a stored program area and a stored data area, wherein the stored program area may store instructions for implementing an operating system, instructions for at least one function (such as a touch function, a sound playing function, an image playing function, etc.), instructions for implementing the various method embodiments described above, and the like; the storage data area may store data and the like referred to in the above respective method embodiments. The memory 1005 may optionally be at least one memory device located remotely from the processor 1001. As shown in fig. 6, a memory 1005, which is a kind of computer storage medium, may include an operating system, a network communication module, a user interface module, and an application program of an attack simulation detection method of a Docker container therein.
It should be noted that: in the above embodiment, when the device implements the functions thereof, only the division of the functional modules is illustrated, and in practical applications, the functions may be distributed by different functional modules according to needs, that is, the internal structure of the device may be divided into different functional modules to implement all or part of the functions described above. In addition, the apparatus and method embodiments provided by the above embodiments belong to the same concept, and specific implementation processes thereof are described in the method embodiments for details, which are not described herein again.
In the electronic device 1000 shown in fig. 6, the user interface 1003 is mainly used as an interface for providing input for a user, and acquiring data input by the user; and the processor 1001 may be configured to invoke an application program in the memory 1005 that stores an attack simulation detection method for a Docker container, which when executed by the one or more processors causes the electronic device to perform the method as described in one or more of the above embodiments.
An electronic device readable storage medium having instructions stored thereon. When executed by one or more processors, cause an electronic device to perform a method as described in one or more of the above embodiments.
It is clear to a person skilled in the art that the solution of the present application can be implemented by means of software and/or hardware. The "unit" and "module" in this specification refer to software and/or hardware that can perform a specific function independently or in cooperation with other components, where the hardware may be, for example, a Field-ProgrammaBLE Gate Array (FPGA), an Integrated Circuit (IC), or the like.
It should be noted that, for simplicity of description, the above-mentioned method embodiments are described as a series of acts or combination of acts, but those skilled in the art will recognize that the present application is not limited by the order of acts described, as some steps may occur in other orders or concurrently depending on the application. Further, those skilled in the art should also appreciate that the embodiments described in the specification are preferred embodiments and that the acts and modules referred to are not necessarily required in this application.
In the foregoing embodiments, the descriptions of the respective embodiments have respective emphasis, and for parts that are not described in detail in a certain embodiment, reference may be made to related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed apparatus may be implemented in other manners. For example, the above-described embodiments of the apparatus are merely illustrative, and for example, the division of the units is only one type of division of logical functions, and there may be other divisions when actually implementing, for example, a plurality of units or components may be combined or may be integrated into another system, or some features may be omitted, or not implemented. In addition, the shown or discussed mutual coupling or direct coupling or communication connection may be an indirect coupling or communication connection of some service interfaces, devices or units, and may be an electrical or other form.
The units described as separate parts may or may not be physically separate, and parts displayed as units may or may not be physical units, may be located in one place, or may be distributed on a plurality of network units. Some or all of the units can be selected according to actual needs to achieve the purpose of the solution of the embodiment.
In addition, functional units in the embodiments of the present application may be integrated into one processing unit, or each unit may exist alone physically, or two or more units are integrated into one unit. The integrated unit can be realized in a form of hardware, and can also be realized in a form of a software functional unit.
The integrated unit, if implemented in the form of a software functional unit and sold or used as a stand-alone product, may be stored in a computer readable memory. Based on such understanding, the technical solution of the present application may be substantially implemented or a part of or all or part of the technical solution contributing to the prior art may be embodied in the form of a software product stored in a memory, and including several instructions for causing a computer device (which may be a personal computer, a server, or a network device) to execute all or part of the steps of the method described in the embodiments of the present application. And the aforementioned memory comprises: various media capable of storing program codes, such as a usb disk, a Read-Only Memory (ROM), a Random Access Memory (RAM), a removable hard disk, a magnetic disk, or an optical disk.
Those skilled in the art will appreciate that all or part of the steps in the methods of the above embodiments may be implemented by a program which instructs associated hardware to perform the steps, and the program may be stored in a computer readable memory, and the memory may include: flash disks, read-Only memories (ROMs), random Access Memories (RAMs), magnetic or optical disks, and the like.
The above description is only an exemplary embodiment of the present disclosure, and the scope of the present disclosure should not be limited thereby. That is, all equivalent changes and modifications made in accordance with the teachings of the present disclosure are intended to be included within the scope of the present disclosure. Other embodiments of the disclosure will be apparent to those skilled in the art from consideration of the specification and practice of the disclosure herein. This application is intended to cover any variations, uses, or adaptations of the disclosure following, in general, the principles of the disclosure and including such departures from the present disclosure as come within known or customary practice within the art to which the disclosure pertains. It is intended that the specification and examples be considered as exemplary only, with a true scope and spirit of the disclosure being indicated by the following claims.

Claims (10)

1. An attack simulation detection method of a Docker container is applied to an agent installed in a computer device host, and the method comprises the following steps:
acquiring an attack simulation task;
releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a leak;
and controlling the worker container to attack the target container, and implanting webshell into the target container according to the vulnerability, so that the business server simulates an attack behavior based on the webshell, and the security device detects the attack behavior.
2. The Docker container attack simulation detection method according to claim 1, wherein before releasing two resident containers according to the attack simulation task, the method further comprises:
and uploading the mirror images of the two resident containers to a computer equipment host of the installation agent according to the attack simulation task.
3. The Docker container attack simulation detection method according to claim 1, wherein after obtaining the attack simulation task, the method further comprises:
and controlling the target container through a container interface, and deploying a war packet with a vulnerability in the target container.
4. The method for detecting the attack simulation of the Docker container of claim 3, wherein after releasing two resident containers according to the attack simulation task, further comprising:
continuously judging whether the war packet with the bug is successfully deployed or not;
if the war packet with the bug is successfully deployed, executing a step of controlling the worker container to attack the target container;
the method further comprises the following steps:
and if the war packet deployment of the bug fails, ending the attack simulation task.
5. The Docker container attack simulation detection method according to claim 3, wherein the controlling the worker container to attack the target container comprises:
controlling tomcat service in the target container to decompress the war packet and starting loophole service corresponding to the war packet;
and controlling the worker container to attack the loophole service corresponding to the war packet in the target container.
6. The method for detecting attack simulation of a Docker container according to claim 1, wherein the controlling the worker container to attack the target container and implanting a webshell into the target container according to a bug, so that a service server simulates an attack behavior based on the webshell, and a security device detects the attack behavior comprises:
controlling the worker container to attack the target container, implanting webshell into the target container according to the loophole, so that a business server performs attack simulation based on the webshell, and determining that attack simulation attack characteristics of the attack simulation exist in security equipment by the business server, and then determining that the security equipment has the capability of detecting the attack simulation, so that the security equipment detects the attack behavior;
the method further comprises the following steps:
and if the attack characteristics do not exist in the safety equipment, determining that the safety equipment does not have the capability of detecting the attack simulation.
7. The Docker container attack simulation detection method of claim 6, wherein after determining whether the security device has the capability of detecting the attack simulation, the method further comprises:
if the safety equipment has the capability of detecting the attack simulation, acquiring the container information of the attack simulation sent by the service server;
and if the safety equipment does not have the capability of detecting the attack simulation, generating prompt information of potential safety hazard of the safety equipment, wherein the prompt information comprises the attack characteristics.
8. An attack simulation detection system for a Docker container, the system comprising:
the task acquisition module (1) is used for acquiring an attack simulation task;
the container release module (2) is used for releasing two resident containers according to the attack simulation task, wherein the two resident containers comprise a worker container and a target container with a leak;
and the attack simulation module (3) is used for controlling the worker container to attack the target container, implanting webshell into the target container according to the vulnerability, so that the business server simulates an attack behavior based on the webshell, and the security device detects the attack behavior.
9. A computer-readable storage medium storing instructions which, when executed, perform the attack simulation detection method for a Docker container according to any one of claims 1 to 7.
10. An electronic device, comprising: a processor and a memory; wherein the memory stores a computer program, and the computer program is suitable for being loaded by the processor and executing the attack simulation detection method of the Docker container according to any one of claims 1 to 7.
CN202310148712.7A 2023-02-22 2023-02-22 Attack simulation detection method, system, medium and electronic device for Docker container Pending CN115809120A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310148712.7A CN115809120A (en) 2023-02-22 2023-02-22 Attack simulation detection method, system, medium and electronic device for Docker container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310148712.7A CN115809120A (en) 2023-02-22 2023-02-22 Attack simulation detection method, system, medium and electronic device for Docker container

Publications (1)

Publication Number Publication Date
CN115809120A true CN115809120A (en) 2023-03-17

Family

ID=85487894

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310148712.7A Pending CN115809120A (en) 2023-02-22 2023-02-22 Attack simulation detection method, system, medium and electronic device for Docker container

Country Status (1)

Country Link
CN (1) CN115809120A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118018596A (en) * 2024-03-13 2024-05-10 证通股份有限公司 Method, component, storage medium and program product for API selection of micro-services

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479526B1 (en) * 2014-11-13 2016-10-25 Shape Security, Inc. Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks
CN110109649A (en) * 2018-02-01 2019-08-09 中国电信股份有限公司 For container control method, device and the containment system of Web service
CN111949276A (en) * 2020-08-17 2020-11-17 浪潮云信息技术股份公司 System and method for automatically deploying application program based on container mode
CN115659343A (en) * 2022-12-27 2023-01-31 北京知其安科技有限公司 Container attack simulation method and detection method for simulating real attack, and terminal

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9479526B1 (en) * 2014-11-13 2016-10-25 Shape Security, Inc. Dynamic comparative analysis method and apparatus for detecting and preventing code injection and other network attacks
CN110109649A (en) * 2018-02-01 2019-08-09 中国电信股份有限公司 For container control method, device and the containment system of Web service
CN111949276A (en) * 2020-08-17 2020-11-17 浪潮云信息技术股份公司 System and method for automatically deploying application program based on container mode
CN115659343A (en) * 2022-12-27 2023-01-31 北京知其安科技有限公司 Container attack simulation method and detection method for simulating real attack, and terminal

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN118018596A (en) * 2024-03-13 2024-05-10 证通股份有限公司 Method, component, storage medium and program product for API selection of micro-services

Similar Documents

Publication Publication Date Title
US11210390B1 (en) Multi-version application support and registration within a single operating system environment
RU2653985C2 (en) Method and system for detecting malicious software by control of software implementation running under script
US10075455B2 (en) Zero-day rotating guest image profile
US11385903B2 (en) Firmware update patch
CN105427096B (en) Payment security sandbox implementation method and system and application program monitoring method and system
JP6702983B2 (en) Intelligent and context-aware user interaction for malware detection
US9117079B1 (en) Multiple application versions in a single virtual machine
JP5978365B2 (en) System and method for performing network access control in a virtual environment
KR101503785B1 (en) Method And Apparatus For Protecting Dynamic Library
US20180191779A1 (en) Flexible Deception Architecture
CN105786538B (en) software upgrading method and device based on android system
WO2019072008A1 (en) Security scanning method and apparatus for mini program, and electronic device
CN111191226B (en) Method, device, equipment and storage medium for determining program by utilizing right-raising loopholes
US9665465B1 (en) Automated determination of application permissions
CN115659343B (en) Container attack simulation method and detection method for simulating real attack, and terminal
CN107580703B (en) Migration service method and module for software module
CN111159691A (en) Dynamic credibility verification method and system for application program
US20190121965A1 (en) Cloud application detection method and cloud application detection apparatus
US20220405385A1 (en) Secure container construction device and method executable by android application, and computer-readable recording medium on which program thereof is recorded
CN111880987A (en) Dynamic monitoring method and device of application program, storage medium and electronic device
WO2022247301A1 (en) Testing method, graphical interface and related apparatus
WO2018133654A1 (en) Protected positioning method and device
WO2022247300A1 (en) Sandbox initialization method, graphical interface and related apparatus
CN115373798A (en) Intelligent Internet of things terminal container escape attack detection and defense method
CN113391874A (en) Virtual machine detection countermeasure method and device, electronic equipment and storage medium

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
RJ01 Rejection of invention patent application after publication
RJ01 Rejection of invention patent application after publication

Application publication date: 20230317