CN116048718A - Method and device for improving security of cloud-hosted Web application program based on container - Google Patents

Method and device for improving security of cloud-hosted Web application program based on container Download PDF

Info

Publication number
CN116048718A
CN116048718A CN202211641017.6A CN202211641017A CN116048718A CN 116048718 A CN116048718 A CN 116048718A CN 202211641017 A CN202211641017 A CN 202211641017A CN 116048718 A CN116048718 A CN 116048718A
Authority
CN
China
Prior art keywords
containers
database
container
web application
jump
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202211641017.6A
Other languages
Chinese (zh)
Inventor
郝健强
申旭辉
孙财新
胡昊
潘霄峰
吕月秋
占艳琪
沈旭
王鸿策
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huaneng Zhejiang Energy Sales Co ltd
Huaneng Clean Energy Research Institute
Original Assignee
Huaneng Zhejiang Energy Sales Co ltd
Huaneng Clean Energy Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huaneng Zhejiang Energy Sales Co ltd, Huaneng Clean Energy Research Institute filed Critical Huaneng Zhejiang Energy Sales Co ltd
Priority to CN202211641017.6A priority Critical patent/CN116048718A/en
Publication of CN116048718A publication Critical patent/CN116048718A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F8/00Arrangements for software engineering
    • G06F8/60Software deployment
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45562Creating, deleting, cloning virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/4557Distribution of virtual machine instances; Migration and load balancing
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D10/00Energy efficient computing, e.g. low power processors, power management or thermal management

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • General Engineering & Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

The invention discloses a method and a device for improving security of a cloud-hosted Web application program based on a container, wherein the method comprises the following steps: constructing a Web application, and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers; data classification is carried out on the data stored in the plurality of database containers based on the types of the plurality of database containers to obtain a data classification result; constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting and obtaining the distribution characteristics of the data stored in the database containers in the Docker container instance; the load balancer is configured for the MongoDB database cluster based on the distribution characteristics to distribute and map data to the hosts, so that the jump defense model provides a single interface to each database container. The invention can realize the use of virtual technology with very small memory and reduce the damage degree of web application programs by container skip.

Description

Method and device for improving security of cloud-hosted Web application program based on container
Technical Field
The invention relates to the technical field of Internet, in particular to a method and a device for improving security of a cloud-hosted Web application program based on a container.
Background
Due to the convenience of flexible pricing and ease of management, a large number of enterprise services and businesses build on top of cloud environments. However, as companies store more and more data in the cloud, the security of the cloud server becomes more important. To improve the security of these critical data, security personnel may use a network protocol with higher security, update hardware with built-in security functions, various malware detection systems, and the like. Despite these measures, hackers may still obtain critical data via the Internet, especially Web applications deployed in a cloud service environment. Important steps to protect web applications from exploitation include: with the latest encryption, proper authentication is required, not only to repair the vulnerability of the hair, but also to have a healthy software development environment. It is realistic that an attacker can find out vulnerabilities even in a reasonably strong secure environment. In a virtual power plant, the energy can be refined into a comprehensive control carrier formed by organically combining distributed energy sources, controllable loads and distributed energy storage facilities. Therefore, when the energy management and transaction platform is constructed, various distributed energy sources such as wind power, photovoltaic power generation, miniature gas generator sets, small hydroelectric generator sets and the like can be constructed, controllable loads such as factory energy consumption, office building energy consumption, air conditioner energy consumption and the like, and data stores of distributed energy storage facilities such as electric vehicles, battery energy storage and the like are constructed in different databases, so that a web application cloud cluster is constructed. An emerging security idea is to deploy Web application cloud clusters and then design a defense mechanism in the cloud server using the redundancy and connectivity of these clusters to defend against hops. The jump defense is based on periodically moving application instances from one host to another, which hosts have different IP addresses or ports. In this case, therefore, an intruder who obtains access rights to a specific host cannot control the host for a long time. The method is to obtain security by limiting the occupation time of any specific host under attack and under the control of an intruder, thereby reducing the damage degree. This approach is similar to the space-time trade-off, with higher security achieved by dynamically changing cluster composition to sacrifice a small fraction of performance.
The most common method of improving security of Web applications is Web application firewalls. Wherein the Web application firewall may protect the Web application from malicious HTTP traffic by providing a filtering barrier between the target server and the attacker. Therefore, the Web application firewall can defend attacks such as cross-site forgery, cross-site script writing, SQL injection and the like. However, firewalls require higher costs, with hardware firewalls being more expensive. So that it is difficult for an average user or a small item to deploy them.
Currently, protecting vulnerable Web applications is a complex task, which can be performed by two conventional methods:
the firewall technology mainly comprises: the method adopts the functional requirements of cache acceleration, unified authentication interface, DDos prevention and the like to actively adapt to continuously-changing network security environments, comprises the steps of filtering technology to check header information of a data packet and filtering according to filtering rules. In the state monitoring technology of the firewall, a state table is dynamically established, so that effective management of temporary ports established by some complex protocols can be realized. The dynamic state table is the core of the state detection firewall. After receiving the connection request sent by the client, the firewall uses the proxy to check the source and destination IP addresses of the client, and decides whether to allow the connection request according to preset filtering rules. If the connection request is allowed, a customer identification is made.
The second method is to deploy Web applications on virtual hosts, where Web applications are highly dependent on virtualization in a cloud environment, where the virtualization technology is to separate physical computing devices into one or more virtual devices, each of which can be easily used and managed to perform computing tasks. Based on the virtual host mode of IP address, multiple IPs can be bound in the server, and then the Web server is configured, so that multiple websites are bound on different IPs. Under this method, different hostnames can resolve to different IP addresses, thus playing the role of protecting Web applications.
In view of the foregoing, it can be seen that the installation and maintenance costs of a firewall are high, and the overall productivity of a company is severely affected by the use of a firewall. Staff is sometimes motivated to use backdoor vulnerabilities, resulting in security problems because the data transmitted by these backdoor vulnerabilities is not properly checked. Although a firewall is able to block basic types of trojans, it proves to be silent with respect to other types of malware. Malware may still enter the system in the form of data. Whereas conventional virtual machine technology, each virtual machine includes not only an application program, which is typically only a few hundred MB in size, but also an entire virtualized operating system, which may be 10 GB in size or more. Deploying a cluster based on virtual machine infrastructure may require a significant amount of time and resources due to the excessive size of the files and network and disk bandwidth constraints.
Disclosure of Invention
The present invention aims to solve at least one of the technical problems in the related art to some extent.
Therefore, the invention provides a method for improving security of cloud-hosted Web application programs based on containers. A new security mechanism for cluster-based applications protects the security of web applications through container hops. A virtual technology Docker is used for establishing a MongoDB database cluster, and a module calling algorithm is used for calling different MongoDB database fragments. By doing so, the use of virtual technology can be achieved with little memory, and the extent of damage to web applications can be reduced by container hopping.
Another object of the present invention is to propose a means to increase the security of cloud-hosted Web applications based on containers.
A third object of the invention is to propose a computer device.
A fourth object of the invention is to propose a non-transitory computer readable storage medium.
To achieve the above object, in one aspect, the present invention provides a method for improving security of a cloud-hosted Web application based on a container, including:
constructing a Web application, and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
data classification is carried out on the data stored in the database containers based on the types of the database containers to obtain a data classification result;
constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting the distribution characteristics of the data stored in the database containers in a Docker container instance;
and configuring a load equalizer for the MongoDB database cluster based on the distribution characteristics so as to carry out data distribution and mapping processing on a host, so that the jump defense model provides a single interface for each database container.
In addition, the method for improving the security of the cloud hosting Web application based on the container according to the embodiment of the invention can also have the following additional technical features:
further, in an embodiment of the present invention, the data classification of the data stored in the plurality of database containers based on the types of the plurality of database containers to obtain a data classification result includes:
establishing a baseline of comparison performance in the Web application;
taking the throughput of the writing requests in the plurality of database containers as a performance index, recording response time, and obtaining a deviation value from the baseline; the method comprises the steps of,
and classifying the plurality of database containers by using a BCNF algorithm to obtain data classification results of a plurality of related databases.
Further, in one embodiment of the present invention, the method further comprises:
acquiring the jumping frequency of the container in the jumping defensive model;
analyzing the proportion of the hopped containers in the MongoDB database cluster based on the hopping frequency collection related data;
obtaining the number of the jumping containers based on the proportion of the jumping containers, so as to obtain a throughput variation result according to the number of the jumping containers.
Further, in one embodiment of the invention, by increasing the jump frequency and the percentage of jump containers, a linear model is built to predict the effect of container jump parameters on write throughput:
T=<F,p,C,M>
where T is the write throughput, f is the hop frequency, p is the hop container percentage, C is the CPU parameter, and M is the memory.
To achieve the above object, another aspect of the present invention provides an apparatus for improving security of a cloud-hosted Web application based on a container, including:
the database construction module is used for constructing Web application and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
the data classification module is used for classifying the data stored in the database containers based on the types of the database containers to obtain data classification results;
the jump defense module is used for constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting and obtaining the distribution characteristics of the data stored in the database containers in the Docker container instance;
and the configuration load balancing module is used for configuring a load balancer for the MongoDB database cluster based on the distribution characteristics so as to carry out data distribution and mapping processing on a host, so that the jump defense model provides a single interface for each database container.
A third aspect of the invention provides a computer device comprising a processor and a memory;
the processor runs a program corresponding to the executable program code by reading the executable program code stored in the memory, so as to be used for realizing a method for improving the security of the cloud-hosted Web application program based on the container.
A fourth aspect of the present invention proposes a non-transitory computer-readable storage medium, on which a computer program is stored, characterized in that the program, when executed by a processor, implements a method of improving security of a cloud-hosted Web application based on a container.
The method, the device, the equipment and the storage medium for improving the security of the cloud-hosted Web application program based on the container, which are disclosed by the embodiment of the invention, are a new security mechanism of the cluster-based application program, and the security of the Web application program is protected through container skip. A virtual technology Docker is used for establishing a MongoDB database cluster, and a module calling algorithm is used for calling different MongoDB database fragments. The use of virtual technology can be achieved with very little memory and the extent of damage to web applications can be reduced by container hopping.
Additional aspects and advantages of the invention will be set forth in part in the description which follows and, in part, will be obvious from the description, or may be learned by practice of the invention.
Drawings
The foregoing and/or additional aspects and advantages of the invention will become apparent and readily appreciated from the following description of the embodiments, taken in conjunction with the accompanying drawings, in which:
FIG. 1 is a flow chart of a method of improving cloud-hosted Web application security based on a container according to an embodiment of the present invention;
FIG. 2 is a framework diagram of a jump defense model according to an embodiment of the invention;
FIG. 3 is a schematic diagram of a database classification process using a BCNF algorithm according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an apparatus for improving security of a cloud-hosted Web application based on a container, in accordance with an embodiment of the invention;
fig. 5 is a computer device according to an embodiment of the invention.
Detailed Description
It should be noted that, without conflict, the embodiments of the present invention and features of the embodiments may be combined with each other. The invention will be described in detail below with reference to the drawings in connection with embodiments.
In order that those skilled in the art will better understand the present invention, a technical solution in the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in which it is apparent that the described embodiments are only some embodiments of the present invention, not all embodiments. All other embodiments, which can be made by those skilled in the art based on the embodiments of the present invention without making any inventive effort, shall fall within the scope of the present invention.
Methods, apparatuses, devices and storage media for improving security of cloud-hosted Web applications based on containers according to embodiments of the present invention are described below with reference to the accompanying drawings.
FIG. 1 is a flow chart of a method of improving cloud-hosted Web application security based on a container in accordance with an embodiment of the present invention.
As shown in fig. 1, the method includes, but is not limited to, the steps of:
s1, constructing a Web application, and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
s2, data classification is carried out on the data stored in the plurality of database containers based on the types of the plurality of database containers to obtain a data classification result;
s3, constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting and obtaining the distribution characteristics of the data stored in the database containers in the Docker container instance;
and S4, configuring a load equalizer for the MongoDB database cluster based on the distribution characteristics so as to carry out distribution and mapping processing of data to a host, so that the jump defense model provides a single interface for each database container.
The method for improving security of cloud-hosted Web applications based on containers according to the embodiment of the invention is described in detail below with reference to the accompanying drawings.
Specifically, when a container is hopped, it needs to be shut down and then restarted on another host. This process may generate an interrupt at the server side, especially when multiple containers are moved, because some application instances will not be reused until a restart is completed. To evaluate the impact of container hops on real world applications, embodiments of the present invention construct a Web application that contains multiple database containers. The experiments of the present invention were MongoDB database clusters constructed using Docker container instances. And then, reasonably classifying the stored information through the database types, and utilizing the characteristic that the MongoDB database is fragmented, thereby realizing the distribution and banding characteristics of the data in the container instance. The jump defense model it builds in order to provide a single interface to the various databases, the cluster requires a load balancer to handle the distribution and mapping of data to hosts. The jump defense model framework is shown in fig. 2 below.
Furthermore, the invention discovers that the Apache Jmeter has the best performance through the test of a plurality of open source load test tools, thereby completing the work of statistical analysis. The call was written using a sophisticated MongoDB Java API and a Jmeter Java API to test MongoDB write and count throughput.
Next, a baseline of comparative performance is established, as well as which performance metrics to emphasize. Embodiments of the present invention may employ test response times, delays, and many other parameters to find deviations from baseline.
Specifically, the response time is recorded with the throughput of the write request as a key performance indicator. During which the database is classified into a plurality of associated databases using BCNF algorithm. As shown in fig. 3.
It will be appreciated that BCNF, collectively Boyce Codd Normal Form, chinese called bas-paradigm/Bao Yisi-scientific paradigm, proposed by Boyce and Codd, is a further step beyond 3NF and is generally considered as a modified third paradigm.
Let the relation pattern R < U, F > ∈1NF, if X→Y is relied on for each function of R, if Y does not belong to X, X must contain an supercode, then R ε BCNF. The conditions for satisfying the BCNF are: all non-primary attributes are fully function dependent for each candidate key; all the main attributes are also fully function dependent for each candidate key that does not contain it; no attribute-complete function depends on any one set of attributes of non-candidate keys. Is proposed by Boyce and Codd, further than 3NF, and is generally considered to be the modified third paradigm. The third pattern is defined as a relationship pattern R in which if such a key X, attribute group Y and non-master attribute Z are not present, x— > Y, y— > Z are established, and if y— > X is not present, R is 3NF.
I.e. when 2NF (second paradigm) eliminates the transfer function dependence of the non-primary attribute on the key, then it is called 3NF.
And projecting the 3NF relation, and eliminating part of the key and transfer dependence of the main attribute in the original relation to obtain a group of BCNF relation.
BCNF properties: all non-primary attributes are fully function dependent for each candidate key; all the main attributes are also fully function dependent for each candidate key that does not contain it; no attribute-complete function depends on any one set of attributes of non-candidate keys.
As one embodiment of the present invention, R.epsilon.3NF is defined to exclude any attribute transfer dependencies and partial dependencies on keys. However, if R.epsilon.3NF, R does not necessarily belong to BCNF.
1. In the relation pattern STJ (S, T, J), S represents a student, T represents a teacher, and J represents a course. Each teacher only teaches a class. Each class has a plurality of teachers, and a student selects a class and corresponds to a fixed teacher. The following functional dependencies are available from semantics:
(S,J)->T;(S,T)->J;T->J。
(S, J) and (S, T) are candidate bonds.
STJ is 3NF because there is no dependency or partial dependency of any non-primary attribute on key transfer. But STJ is not a BCNF relationship because T is a determinant and T is not a super bond.
2. Assume that the warehouse management relationship table is a warehouse ID, a storage item ID, an administrator ID, a quantity, and that one administrator works only in one warehouse; a warehouse may store a variety of items. The following decision relationship exists in this database table:
(warehouse ID, stored item ID) → (administrator ID, quantity) (administrator ID, stored item ID) → (warehouse ID, quantity);
therefore, both (warehouse ID, store item ID) and (administrator ID, store item ID) are candidate keys for store management, the only non-key field in the table is the number, which is in accordance with the third paradigm. However, the following decision relationship exists:
(warehouse ID) → (administrator ID) → (warehouse ID);
i.e. there are cases where the critical field determines the critical field, so it does not conform to the BCNF paradigm.
Embodiments of the present invention hop through the containers at different frequencies to evaluate their impact on performance. For each experiment, multiple experiments were performed and the results averaged. The result is a single container jump, even at a speed of 1 jump per second, with little impact on the overall cluster performance. This result is due to the set of replicas in MongoDB, a master-slave attribute, to ensure that when one instance is turned off, the other instance will immediately replace it, so throughput is not significantly affected by jumps. Throughput may be reduced when multiple containers are moved at increased frequencies. The overall cluster performance is only 50% when jumping half of the containers. Almost the same trend as when the present invention moves 1/3 of the number of containers. However, throughput is more negatively affected. It was found that the throughput did drop linearly when more than half the number of containers were moved more frequently. However, it is important that 50% of the performance of the baseline cluster can be achieved even if up to 80% of the cluster nodes hop at 1 second intervals.
Further, embodiments of the present invention fix the frequency of hops and collect data to analyze the percentage of hops in the entire cluster, and find that when more containers are hopped, throughput decreases, but when 50% or more containers are moved, throughput begins to settle.
In one embodiment of the invention, it is assumed that the invention has a database cluster comprising n containers, and a load balancer for distributing requests across containers to the databases. If a hacker gains access to container number 1, he can steal data from the database instance as long as he has access to the container. By periodically jumping the container to another host, the present invention may cut off such unauthorized access so that an attacker has only a limited period of time to utilize the infected host. The present invention may also alter a subset of configuration parameters during each move so that the present invention may improve security by avoiding reuse of a homogeneous environmental configuration. In summary, the present invention not only increases the frequency of hops and, at the same time, increases the percentage of total number of hops, but also creates a linear model to predict how container hopping parameters affect throughput.
T=<f,p,C,M>
Where T is the write throughput, f is the hop frequency, p is the hop container percentage, C is the CPU parameter, and M is the memory.
It will be appreciated that in order to increase the security of cloud-hosted Web applications, the present invention transfers an application instance from one host to another, which may have a different IP address or port, and thus an attacker who gains access to a particular host cannot control that host for a long period of time. The present invention achieves security by limiting the time any particular host is attacked and controlled by an attacker, thereby reducing the damage that may be caused.
As an embodiment of the invention, it is assumed that the invention has a database cluster with n containers and that there is a load balancer to distribute requests for the database across the containers. MongoDB database clusters built from docker container instances. The present invention uses BCNF algorithms to sort databases into multiple databases, meaning that the data is distributed among the containers and stripped off. In order to provide a single interface to the database, the cluster requires a configuration server to handle the distribution and mapping of data to hosts. The overall structure is shown in fig. 2. Let n be 6, so that the invention has a 6 word database. The master database is thus distributed into 6 containers, together with 3 configuration servers, computing router software. There are a total of 10 containers.
According to the method for improving the security of the cloud-hosted Web application program based on the container, which is disclosed by the embodiment of the invention, the security of the Web application program is protected through container skip based on a new security mechanism of the cluster application program. A virtual technology Docker is used for establishing a MongoDB database cluster, and a module calling algorithm is used for calling different MongoDB database fragments. The use of virtual technology can be achieved with very little memory and the extent of damage to web applications can be reduced by container hopping.
In order to implement the above embodiment, as shown in fig. 4, there is further provided an apparatus 10 for improving security of a cloud hosting Web application based on a container, where the apparatus 10 includes a database building module 100, a data classification module 200, a jump defense module 300, and a configuration load balancing module 400.
The database construction module 100 is configured to construct a Web application, and construct a MongoDB database cluster using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
the data classification module 200 is configured to perform data classification on data stored in the plurality of database containers based on the types of the plurality of database containers to obtain a data classification result;
the jump defense module 300 is configured to construct a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and output and obtain the distribution characteristics of the data stored in the plurality of database containers in the Docker container instance;
the load balancing module 400 is configured to configure a load balancer for the MongoDB database cluster based on the distribution feature, so as to perform distribution and mapping processing of data to a host, so that the jump defense model provides a single interface for each database container.
Further, the data classification module 200 is further configured to:
establishing a baseline of comparison performance in Web application;
taking the throughput of the writing requests in the plurality of database containers as a performance index, recording response time, and obtaining a deviation value from a baseline; the method comprises the steps of,
and classifying the plurality of database containers by using a BCNF algorithm to obtain data classification results of a plurality of related databases.
Further, the apparatus 10 further includes a throughput variation module configured to:
obtaining the jumping frequency of the container in the jumping defensive model;
analyzing the proportion of the hopped containers in the MongoDB database cluster based on the hopping frequency collection related data;
the number of hopped containers is derived based on the ratio of hopped containers to derive a throughput variation result from the number of hopped containers.
Further, by increasing the frequency of hops and the percentage of hops containers, a linear model is built to predict the effect of container hopping parameters on write throughput:
T=<f,p,C,M>
where T is the write throughput, f is the hop frequency, p is the hop container percentage, C is the CPU parameter, and M is the memory.
According to the device for improving the security of the cloud-hosted Web application based on the container, which is disclosed by the embodiment of the invention, the security of the Web application is protected through container skip based on a new security mechanism of the cluster application. A virtual technology Docker is used for establishing a MongoDB database cluster, and a module calling algorithm is used for calling different MongoDB database fragments. The use of virtual technology can be achieved with very little memory and the extent of damage to web applications can be reduced by container hopping.
In order to implement the method of the above embodiment, the present invention further provides a computer device, as shown in fig. 5, the computer device 600 includes a memory 601 and a processor 602; wherein the processor 602 runs a program corresponding to executable program code stored in the memory 601 by reading the executable program code for implementing the steps of the method for improving security of a cloud-hosted Web application based on a container described above.
In order to implement the method of the above embodiment, the present invention also provides a non-transitory computer-readable storage medium having stored thereon a computer program which, when executed by a processor, implements a method of improving security of a cloud-hosted Web application based on a container.
In the description of the present specification, a description referring to terms "one embodiment," "some embodiments," "examples," "specific examples," or "some examples," etc., means that a particular feature, structure, material, or characteristic described in connection with the embodiment or example is included in at least one embodiment or example of the present invention. In this specification, schematic representations of the above terms are not necessarily directed to the same embodiment or example. Furthermore, the particular features, structures, materials, or characteristics described may be combined in any suitable manner in any one or more embodiments or examples. Furthermore, the different embodiments or examples described in this specification and the features of the different embodiments or examples may be combined and combined by those skilled in the art without contradiction.
Furthermore, the terms "first," "second," and the like, are used for descriptive purposes only and are not to be construed as indicating or implying a relative importance or implicitly indicating the number of technical features indicated. Thus, a feature defining "a first" or "a second" may explicitly or implicitly include at least one such feature. In the description of the present invention, the meaning of "plurality" means at least two, for example, two, three, etc., unless specifically defined otherwise.

Claims (10)

1. A method for improving security of a cloud-hosted Web application based on a container, comprising the steps of:
constructing a Web application, and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
data classification is carried out on the data stored in the database containers based on the types of the database containers to obtain a data classification result;
constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting the distribution characteristics of the data stored in the database containers in a Docker container instance;
and configuring a load equalizer for the MongoDB database cluster based on the distribution characteristics so as to carry out data distribution and mapping processing on a host, so that the jump defense model provides a single interface for each database container.
2. The method of claim 1, wherein the data classification of the data stored in the plurality of database containers based on the type of the plurality of database containers results in a data classification result, comprising:
establishing a baseline of comparison performance in the Web application;
taking the throughput of the writing requests in the plurality of database containers as a performance index, recording response time, and obtaining a deviation value from the baseline; the method comprises the steps of,
and classifying the plurality of database containers by using a BCNF algorithm to obtain data classification results of a plurality of related databases.
3. The method according to claim 1, characterized in that the method further comprises:
acquiring the jumping frequency of the container in the jumping defensive model;
analyzing the proportion of the hopped containers in the MongoDB database cluster based on the hopping frequency collection related data;
obtaining the number of the jumping containers based on the proportion of the jumping containers, so as to obtain a throughput variation result according to the number of the jumping containers.
4. A method according to claim 3, characterized in that by increasing the jump frequency and the percentage of jump containers, a linear model is built to predict the effect of container jump parameters on the write throughput results:
T=<f,p,C,M>
where T is the write throughput, f is the hop frequency, p is the hop container percentage, C is the CPU parameter, and M is the memory.
5. An apparatus for improving security of a cloud-hosted Web application based on a container, comprising:
the database construction module is used for constructing Web application and constructing a MongoDB database cluster by using a Docker container instance in the Web application; wherein the Web application comprises a plurality of database containers;
the data classification module is used for classifying the data stored in the database containers based on the types of the database containers to obtain data classification results;
the jump defense module is used for constructing a jump defense model according to the data classification result and the characteristics of the MongoDB database cluster, and outputting and obtaining the distribution characteristics of the data stored in the database containers in the Docker container instance;
and the configuration load balancing module is used for configuring a load balancer for the MongoDB database cluster based on the distribution characteristics so as to carry out data distribution and mapping processing on a host, so that the jump defense model provides a single interface for each database container.
6. The apparatus of claim 5, wherein the data classification module is further configured to:
establishing a baseline of comparison performance in the Web application;
taking the throughput of the writing requests in the plurality of database containers as a performance index, recording response time, and obtaining a deviation value from the baseline; the method comprises the steps of,
and classifying the plurality of database containers by using a BCNF algorithm to obtain data classification results of a plurality of related databases.
7. The apparatus of claim 5, further comprising a throughput variation module configured to:
acquiring the jumping frequency of the container in the jumping defensive model;
analyzing the proportion of the hopped containers in the MongoDB database cluster based on the hopping frequency collection related data;
obtaining the number of the jumping containers based on the proportion of the jumping containers, so as to obtain a throughput variation result according to the number of the jumping containers.
8. The apparatus of claim 7, wherein a linear model is built to predict the effect of container hopping parameters on write throughput by increasing the hopping frequency and the percentage of hopping containers:
T=<f,p,C,M>
where T is the write throughput, f is the hop frequency, p is the hop container percentage, C is the CPU parameter, and M is the memory.
9. A computer device comprising a processor and a memory;
wherein the processor runs a program corresponding to executable program code stored in the memory by reading the executable program code for implementing the method of improving cloud-hosted Web application security based on a container as claimed in any of claims 1-4.
10. A non-transitory computer readable storage medium having stored thereon a computer program, which when executed by a processor implements a method of improving cloud-hosted Web application security based on a container as claimed in any of claims 1-4.
CN202211641017.6A 2022-12-20 2022-12-20 Method and device for improving security of cloud-hosted Web application program based on container Pending CN116048718A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202211641017.6A CN116048718A (en) 2022-12-20 2022-12-20 Method and device for improving security of cloud-hosted Web application program based on container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202211641017.6A CN116048718A (en) 2022-12-20 2022-12-20 Method and device for improving security of cloud-hosted Web application program based on container

Publications (1)

Publication Number Publication Date
CN116048718A true CN116048718A (en) 2023-05-02

Family

ID=86112582

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202211641017.6A Pending CN116048718A (en) 2022-12-20 2022-12-20 Method and device for improving security of cloud-hosted Web application program based on container

Country Status (1)

Country Link
CN (1) CN116048718A (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076581A (en) * 2023-10-12 2023-11-17 之江实验室 Data setting method and storage medium for non-relational database

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN117076581A (en) * 2023-10-12 2023-11-17 之江实验室 Data setting method and storage medium for non-relational database
CN117076581B (en) * 2023-10-12 2024-03-19 之江实验室 Data setting method and storage medium for non-relational database

Similar Documents

Publication Publication Date Title
Alam Cloud Computing and its role in the Information Technology
Chowdhary et al. SDN based scalable MTD solution in cloud network
US9483742B1 (en) Intelligent traffic analysis to detect malicious activity
Fernandes et al. Security issues in cloud environments: a survey
EP2939173B1 (en) Real-time representation of security-relevant system state
Wang et al. Perm-guard: Authenticating the validity of flow rules in software defined networking
Van Leeuwen et al. Operational cost of deploying moving target defenses defensive work factors
US10979446B1 (en) Automated vulnerability chaining
Kumar et al. Scalable intrusion detection systems log analysis using cloud computing infrastructure
Alavizadeh et al. Comprehensive security assessment of combined MTD techniques for the cloud
Chaudhary et al. LOADS: Load optimization and anomaly detection scheme for software-defined networks
Zhang et al. Effective network vulnerability assessment through model abstraction
US20200099597A1 (en) Scalable unsupervised host clustering based on network metadata
Wang et al. A centralized HIDS framework for private cloud
Man et al. A collaborative intrusion detection system framework for cloud computing
Hong et al. Scalable security models for assessing effectiveness of moving target defenses
Ahamed et al. Security aware and energy-efficient virtual machine consolidation in cloud computing systems
Sagare et al. Security analysis of SDN routing applications
CN116048718A (en) Method and device for improving security of cloud-hosted Web application program based on container
Dwiardhika et al. Virtual network embedding based on security level with VNF placement
Gnatyuk et al. Studies on Cloud-based Cyber Incidents Detection and Identification in Critical Infrastructure.
Ajdani et al. Design network intrusion detection system using support vector machine
US11228614B1 (en) Automated management of security operations centers
Meng et al. Design of cloud-based parallel exclusive signature matching model in intrusion detection
Chikhale et al. Security analysis of SDN cloud applications

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination