CN116302362A - Container progress defense method, system and electronic equipment - Google Patents

Container progress defense method, system and electronic equipment Download PDF

Info

Publication number
CN116302362A
CN116302362A CN202310418395.6A CN202310418395A CN116302362A CN 116302362 A CN116302362 A CN 116302362A CN 202310418395 A CN202310418395 A CN 202310418395A CN 116302362 A CN116302362 A CN 116302362A
Authority
CN
China
Prior art keywords
container
started
blocking
storage space
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202310418395.6A
Other languages
Chinese (zh)
Inventor
郭涛
曹宇
王佩
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Alibaba Cloud Computing Ltd
Original Assignee
Alibaba Cloud Computing Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Alibaba Cloud Computing Ltd filed Critical Alibaba Cloud Computing Ltd
Priority to CN202310418395.6A priority Critical patent/CN116302362A/en
Publication of CN116302362A publication Critical patent/CN116302362A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/554Detecting local intrusion or implementing counter-measures involving event detection and direct action
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45587Isolation or security of virtual machine instances
    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F9/00Arrangements for program control, e.g. control units
    • G06F9/06Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
    • G06F9/44Arrangements for executing specific programs
    • G06F9/455Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
    • G06F9/45533Hypervisors; Virtual machine monitors
    • G06F9/45558Hypervisor-specific management and integration aspects
    • G06F2009/45591Monitoring or debugging support

Landscapes

  • Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Physics & Mathematics (AREA)
  • General Engineering & Computer Science (AREA)
  • General Physics & Mathematics (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Retry When Errors Occur (AREA)

Abstract

The application discloses a process defense method, a system and electronic equipment of a container. Wherein the method comprises the following steps: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container. The application solves the technical problem of low defending performance of the container.

Description

Container progress defense method, system and electronic equipment
Technical Field
The present application relates to the field of data processing, and in particular, to a method, a system, and an electronic device for defending a container against a process.
Background
Currently, in the running process of a container, implantation of malicious software (defending object to be defended) is a kind of hacking behavior with high occurrence frequency in a security event, and the hacking behavior needs to be defended.
In the related art, usually, attack and defense experience is acquired, rules such as malicious software, process behaviors and the like are written based on the acquired attack and defense experience, and the rules are applied to the defense of the malicious software, but the rules in the method are usually realized by adopting modes such as regularization, feature matching and the like, and the performance of the defense is influenced when the rules are more, so that the technical problem of low defense performance of a container is caused.
In view of the above problems, no effective solution has been proposed at present.
Disclosure of Invention
The embodiment of the application provides a process defense method, a system and electronic equipment of a container, which are used for at least solving the technical problem of low defense performance of the container.
According to one aspect of the embodiments of the present application, a method for defending a container against a process is provided. The method may include: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container.
According to an aspect of the embodiments of the present application, another method of defending a container against a process is also provided. The method may include: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; responding to the storage space being positioned in a non-mirror layer which is a container, sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started; and blocking the process to be started in the container in response to a blocking instruction issued by the server based on the blocking request.
According to an aspect of the embodiments of the present application, another method of defending a container against a process is also provided. The method may include: obtaining a blocking request from a client, wherein the blocking request is generated by the client when a storage space of a process to be started in a started container is positioned at a non-mirror layer of the container, and the blocking request is used for requesting to block the process to be started; and responding to the blocking request, and sending a blocking instruction to the client, wherein the blocking instruction is used for enabling the client to block the process to be started in the container.
According to an aspect of the embodiments of the present application, there is also provided a process defense system of a container. The system may include: the client is used for responding to the starting of the container, monitoring a process to be started in the container, and sending a blocking request to the server in response to the fact that a storage space of the process to be started in the container is located in a non-mirror layer of the container; the server is used for responding to the blocking request and sending a blocking instruction to the client; the client is used for responding to the blocking instruction and blocking the process to be started in the container.
According to an aspect of the embodiment of the application, there is further provided an electronic device, where the electronic device includes a memory and a processor, the memory is configured to store an executable program, and the processor is configured to execute the program, where when the program is executed, to control the device where the storage medium is located to execute the process defense method of the container of any one of the above.
According to another aspect of the embodiments of the present application, there is further provided a computer readable storage medium, where the computer readable storage medium includes a stored program, and when the program runs, controls a device in which the storage medium is located to execute the process defense method of the container of any one of the above.
According to another aspect of the embodiments of the present application, there is further provided a processor, configured to execute a program, where the process defense method of any one of the containers described above is executed when the program is executed.
In the embodiment of the application, responding to the starting of the container, and monitoring a process to be started in the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container. That is, in the embodiment of the present application, when a process to be started, in which a storage space is located in a non-mirror layer, occurs during operation of a container, it may be determined that the process to be started is a defending object that the container needs to defend, and starting of the defending object is prevented in the container, so that a technical effect of improving defending performance of the container is achieved, and a technical problem of low defending performance of the container is solved.
Drawings
The accompanying drawings, which are included to provide a further understanding of the application and are incorporated in and constitute a part of this application, illustrate embodiments of the application and together with the description serve to explain the application and do not constitute an undue limitation to the application. In the drawings:
FIG. 1 is a block diagram of the hardware architecture of a computer terminal (or mobile device) for implementing a process defense method for containers according to an embodiment of the present application;
FIG. 2 is a block diagram of a computing environment according to an embodiment of the present application;
FIG. 3 is a flow chart of a method of process defense of a container according to an embodiment of the present application;
FIG. 4 is a flow chart of another method of process defense of a container according to an embodiment of the present application;
FIG. 5 is a flow chart of another method of process defense of a container according to an embodiment of the present application;
FIG. 6 is a schematic diagram of a process defense system of a container according to an embodiment of the present application;
FIG. 7 is a flow chart of a method of actively defending against malware in accordance with an embodiment of the present application;
FIG. 8 is a schematic diagram of a container readable and writable layer identification module according to an embodiment of the present application;
FIG. 9 is a schematic diagram of a container process blocking process according to an embodiment of the present application;
FIG. 10 is a schematic diagram of a process defense device of a container according to an embodiment of the present application;
FIG. 11 is a schematic diagram of a process defense device of another container according to an embodiment of the present application;
FIG. 12 is a schematic diagram of a process defense device of another container according to an embodiment of the present application;
fig. 13 is a block diagram of a computer terminal according to an embodiment of the present application;
fig. 14 is a block diagram of an electronic device of a process defense method of a container according to an embodiment of the present application.
Detailed Description
In order to make the present application solution better understood by those skilled in the art, the following description will be made in detail and with reference to the accompanying drawings in the embodiments of the present application, it is apparent that the described embodiments are only some embodiments of the present application, not all embodiments. All other embodiments, which can be made by one of ordinary skill in the art based on the embodiments herein without making any inventive effort, shall fall within the scope of the present application.
It should be noted that the terms "first," "second," and the like in the description of the present application and the above-described figures are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order. It is to be understood that the data so used may be interchanged where appropriate such that embodiments of the present application described herein may be implemented in sequences other than those illustrated or otherwise described herein. Furthermore, the terms "comprises," "comprising," and "having," and any variations thereof, are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of steps or elements is not necessarily limited to those steps or elements expressly listed but may include other steps or elements not expressly listed or inherent to such process, method, article, or apparatus.
First, partial terms or terminology appearing in describing embodiments of the present application are applicable to the following explanation:
the container mirror image can be a template for creating a container instance and can contain information such as application program codes, dependency libraries, configuration and the like required for creating the container;
a container, which may be in a virtualized form, may contain all necessary executable files, code, and dependency libraries and configuration files, and in a large application deployment, multiple containers may be deployed as one or more container clusters that may be managed by a container orchestration program such as an open source system (e.g., kubernetes);
when the container runs, the component of the container can be run and managed on a single host, and the component can comprise various functions such as mirror image management, container life cycle management, configuration and the like;
malware, which may be software with a malicious intent, refers broadly to all software that attempts to compromise a computer or software running on a computer;
expert experience rules, which can refer to rules obtained by extracting features from malicious software and malicious behaviors according to knowledge and experience, summarizing, and the program can warn or block hit behaviors by matching the behaviors with expert experience rules, so that the effect of safety protection is achieved;
The white list can be a mechanism and a permission list, and entities which are included in the white list can be endowed with certain privileges, service permissions and rights, and entities outside the white list do not have rights;
a missing report may refer to a situation where the report is originally abnormal (Condition positive), but is mistaken for normal (Predicted condition negative).
Example 1
There is also provided, in accordance with an embodiment of the present application, a method of defending against a process of a container, it being noted that the steps illustrated in the flowcharts of the figures may be performed in a computer system, such as a set of computer executable instructions, and that, although a logical order is illustrated in the flowcharts, in some cases, the steps illustrated or described may be performed in an order other than that illustrated herein.
The embodiment of the method for defending a process of a container provided in the first embodiment of the present application may be executed in a mobile terminal, a computer terminal or a similar computing device. Fig. 1 is a block diagram of a hardware architecture of a computer terminal (or mobile device) for implementing a process defense method of a container according to an embodiment of the present application. As shown in fig. 1, the computer terminal 10 (or mobile device) may include one or more processors 102 (shown as 102a, 102b, … …,102 n) which may include, but are not limited to, a microprocessor (Micro Controller Unit, abbreviated as MCU) or a processing device such as a programmable logic device FPGA, a memory 104 for storing data, and a transmission module 106 for communication functions. In addition, the method may further include: a display, an input/output interface (I/O interface), a universal serial BUS (Universal Serial Bus, simply USB) port (which may be included as one of the ports of the BUS), a network interface, a power supply, and/or a camera. It will be appreciated by those of ordinary skill in the art that the configuration shown in fig. 1 is merely illustrative and is not intended to limit the configuration of the electronic device described above. For example, the computer terminal 10 may also include more or fewer components than shown in FIG. 1, or have a different configuration than shown in FIG. 1.
It should be noted that the one or more processors 102 and/or other data processing circuits described above may be referred to generally herein as "data processing circuits. The data processing circuit may be embodied in whole or in part in software, hardware, firmware, or any other combination. Furthermore, the data processing circuitry may be a single stand-alone processing module, or incorporated, in whole or in part, into any of the other elements in the computer terminal 10 (or mobile device). As referred to in the embodiments of the present application, the data processing circuit acts as a processor control (e.g., selection of the path of the variable resistor termination to interface).
The memory 104 may be used to store software programs and modules of application software, such as program instructions/data storage devices corresponding to the process defense method of the container in the embodiments of the present application, and the processor 102 executes the software programs and modules stored in the memory 104, thereby executing various functional applications and data processing, that is, implementing the above-mentioned authentication method of data. Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory 104 may further include memory located remotely from the processor 102, which may be connected to the computer terminal 10 via a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The transmission means 106 is arranged to receive or transmit data via a network. The specific examples of the network described above may include a wireless network provided by a communication provider of the computer terminal 10. In one example, the transmission device 106 includes a network adapter (Network Interface Controller, simply referred to as NIC) that can connect to other network devices through a base station to communicate with the internet. In one example, the transmission device 106 may be a Radio Frequency (RF) module, which is used to communicate with the internet wirelessly.
The display may be, for example, a touch screen type liquid crystal display (Liquid Crystal Display, simply LCD) that may enable a user to interact with a user interface of the computer terminal 10 (or mobile device).
The hardware block diagram shown in fig. 1 may be used not only as an exemplary block diagram of the computer terminal 10 (or mobile device) described above, but also as an exemplary block diagram of the server described above, and in an alternative embodiment, fig. 2 shows, in block diagram form, one embodiment of using the computer terminal 10 (or mobile device) shown in fig. 1 described above as a computing node in a computing environment 201. Fig. 2 is a block diagram of a computing environment, as shown in fig. 2, where the computing environment 201 includes a plurality of computing nodes (e.g., servers) running on a distributed network (shown as 210-1, 210-2, …) in accordance with an embodiment of the present application. The computing nodes each contain local processing and memory resources and end user 202 may run applications or store data remotely in computing environment 201. An application may be provided as a plurality of services 220-1,220-2,220-3 and 220-4 in computing environment 201, representing services "A", "D", "E", and "H", respectively.
End user 202 may provide and access services through a web browser or other software application on a client, in some embodiments, provisioning and/or requests of end user 202 may be provided to portal gateway 230. Ingress gateway 230 may include a corresponding agent to handle provisioning and/or request for services (one or more services provided in computing environment 201).
Services are provided or deployed in accordance with various virtualization techniques supported by the computing environment 201. In some embodiments, services may be provided according to Virtual Machine (VM) based virtualization, container based virtualization, and/or the like. Virtual machine-based virtualization may be the emulation of a real computer by initializing a virtual machine, executing programs and applications without directly touching any real hardware resources. While the virtual machine virtualizes the machine, according to container-based virtualization, a container may be started to virtualize the entire Operating System (OS) so that multiple workloads may run on a single Operating System instance.
In one embodiment based on container virtualization, several containers of a service may be assembled into one Pod (e.g., kubernetes Pod). For example, as shown in FIG. 2, the service 220-2 may be equipped with one or more Pods 240-1,240-2, …,240-N (collectively referred to as Pods). The Pod may include an agent 245 and one or more containers 242-1,242-2, …,242-M (collectively referred to as containers). One or more containers in the Pod handle requests related to one or more corresponding functions of the service, and the agent 245 generally controls network functions related to the service, such as routing, load balancing, etc. Other services may also be equipped with Pod similar to Pod.
In operation, executing a user request from end user 202 may require invoking one or more services in computing environment 201, and executing one or more functions of one service may require invoking one or more functions of another service. As shown in FIG. 2, service "A"220-1 receives a user request of end user 202 from ingress gateway 230, service "A"220-1 may invoke service "D"220-2, and service "D"220-2 may request service "E"220-3 to perform one or more functions.
The computing environment may be a cloud computing environment, and the allocation of resources is managed by a cloud service provider, allowing the development of functions without considering the implementation, adjustment or expansion of the server. The computing environment allows developers to execute code that responds to events without building or maintaining a complex infrastructure. Instead of expanding a single hardware device to handle the potential load, the service may be partitioned to a set of functions that can be automatically scaled independently.
In the above-described operating environment, the present application provides a process defense method for a container as shown in fig. 3. Fig. 3 is a flow chart of a process defense method of a container according to an embodiment of the present application. As shown in fig. 3, the method may include the steps of:
In step S302, in response to the container starting, a process to be started in the container is monitored.
In the technical solution provided in step S302 of the present application, after the container is started, the process to be started in the container may be monitored in response to the container start. The process to be started can be a process file, a process starting event can be monitored, and the process to be started can be determined based on the process starting event.
Optionally, after the container is started, in response to the container being started, a process monitoring module in the client continuously monitors a process to be started event (which may be simply referred to as an event) in the container, and when the process to be started exists in the container, the module may capture the process to be started in the container based on the process starting event.
For example, the process monitoring module of the client is started after the container is started, and enters a monitoring state, and when a process to be started is started on the container, the process monitoring module of the client can automatically capture the process to be started in order to achieve the purpose of monitoring the process to be started in the container.
Optionally, the process monitoring module of the client may determine that an event of process start occurs in the container by monitoring an instruction of the system to start a process, and may monitor a process to be started in the container.
Step S304, the storage space of the process to be started in the container is determined.
In the technical solution provided in step S304, the monitored storage space of the process to be started in the container may be determined. The storage space may be a space for storing a file of a process to be started, and may be a readable and writable layer or a read-only layer.
For example, after the container is started, the readable-writable layer identification module in the container receives the container starting notification and starts working, and the readable-writable layer identification module can automatically identify the storage space of the process to be started in the current container environment, can store the storage space, and performs subsequent judgment.
In step S306, the process to be started is blocked in the container in response to the storage space being located in the non-mirrored layer of the container.
In the technical solution provided in step S306, it is determined whether the storage space of the program to be started is located in the non-mirror layer of the container, if the storage space is located in the non-mirror layer of the container, and if the storage space is located in the non-mirror layer of the container, it may be determined that the process to be started is a defending object that the container needs to defend, and then the startup of the defending object may be blocked in the container, so as to achieve the purpose of avoiding the process to be started in the container from being started as an illegal process. Wherein the non-mirrored layer may be a readable and writable layer of the container. The non-mirrored layer stored processes may be used to adjust the files of the container during its operation, e.g., files in the container may be adjusted by deletion, modification, creation, etc. The defending object can refer to a program outside the mirror image, for example, a non-mirror file, malicious software, etc., which is given here by way of example only and is not a specific limitation on the defending object.
Optionally, the process monitoring module of the client may continuously monitor a process start event in the container, and when a process to be started in the container is monitored, the process to be started may be captured by the process monitoring module, a storage space of a process file to be started is determined, whether the storage space is located in a non-mirror layer (for example, a readable/writable layer) of the container is determined, if the judgment result is that the storage space is located in the non-mirror layer of the container, and in response to the storage space being located in the non-mirror layer of the container, the process to be started may be determined to be a defending object to be defended.
Alternatively, the container image is a template for creating a container instance, containing the application code, dependency library, configuration, etc. information needed to create the container. The container image is immutable after creation. These programs are located only on the read-only layer of the container. Created by the user himself, can generally be considered trusted. After the container is started, if the written program is installed in the running process, the newly written program does not belong to the mirror image, is non-mirror image, and can be determined that the storage space of the newly written process is positioned on the readable and writable layer of the container. In general, hacking occurs in the running stage of a container, an attacker enters the container by means of holes and the like, and installs malicious software, and in these cases, the storage space of the installed program to be started is not in a user mirror image but in a non-mirror image layer. Therefore, in the embodiment of the application, whether the program to be started is a defending object needing defending is judged by judging whether the storage space of the program to be started is a non-mirror image layer of the container, so that missing report of the defending object is avoided, the technical problem that the defending success rate of the container is low due to the fact that the solving thought for defending the non-mirror image program starting is summarized according to the functional characteristics of the container in the prior art is solved, and the technical effect of improving the defending success rate of the container is achieved.
Optionally, when the process to be started is determined to be a defending object needing defending, the process can be reported to the server for recording, and meanwhile, the server can send a blocking instruction to the client to block the process, so that the aim of blocking the startup of the defending object in the container is fulfilled.
Responding to the starting of the container by the steps S302 to S306, and monitoring a process to be started in the container; determining the monitored storage space of the process to be started in the container; determining that a process to be started is a defending object which needs to be defended by the container in response to the storage space being located in a non-mirror layer of the container, wherein the process stored in the non-mirror layer is used for adjusting the file of the container during the operation of the container; the defending object is blocked from being started in the container. That is, in the embodiment of the present application, when a process to be started, in which a storage space is located in a non-mirror layer, occurs during operation of a container, it may be determined that the process to be started is a defending object that the container needs to defend, and starting of the defending object is prevented in the container, so that a technical effect of improving defending performance of the container is achieved, and a technical problem of low defending performance of the container is solved.
The above-described method of this embodiment is further described below.
As an alternative embodiment, the method further comprises: and determining that the storage space is located in the non-mirrored layer in response to the address of the storage space being located in an address interval of the non-mirrored layer.
In this embodiment, it may be determined whether the address of the storage space in which the process to be started is located in the container is located in the address space of the non-mirrored layer, and in response to the address of the storage space being located in the non-mirrored layer, it may be determined that the storage space of the process to be started is located in the non-mirrored layer. Wherein the non-mirrored layer may be used to store data used to create the container.
Optionally, because the mirrored layer of the container cannot be changed after being created, if the address of the storage space of the process to be started is located in the non-mirrored layer and is located in the address interval of the mirrored layer of the container, the storage space of the process to be started can be determined to be the non-mirrored layer, so that the process to be started can be determined to be a process newly installed and written in the running process, and the process to be started can be determined to be a defending object needing defending.
After the container is started, if a newly written program is installed in the running process, the address of the storage space of the newly written program (the program to be started) does not belong to the address interval of the mirror layer and can belong to the address interval of the non-mirror layer. In general, hacking will occur in the running stage of the container, and an attacker enters the container by using a vulnerability or the like and installs malicious software, where addresses of storage spaces of processes to be started are not located in an address interval of a mirror layer, but are located in an address interval of a non-mirror layer. Therefore, in the embodiment of the application, the address of the storage space of the process to be started is judged, when the address of the storage space of the process to be started is judged to be located in the address interval of the non-mirror layer and not located in the address interval of the mirror layer of the container, the storage space can be determined to be located in the non-mirror layer, so that the process to be started can be determined to be a defending object needing defending, the process to be started is defended, and the accuracy of identifying the defending object is improved.
Alternatively, it may be determined whether the address of the memory space is located in an address interval of the non-mirrored layer, and in response to the address of the memory space being located in the address of the non-mirrored layer, it may be determined that the memory space is the non-mirrored layer. Wherein the address of the non-mirrored layer may be a readable-writable layer address.
In the embodiment of the application, whether the storage space is located in the non-mirror layer can be determined by judging whether the address of the storage space is located in the address interval of the non-mirror layer, and when the storage space is determined to be located in the non-mirror layer, the process to be started can be defended. That is, the storage space of the process to be started is determined to be a non-mirror layer, so that whether the process to be started is a defending object needing to be defended is determined, the defending object needing to be defended can be accurately defended, the problem of missing report is solved, the purpose of improving the defending success rate is achieved, the technical effect of improving the defending performance of the container is further achieved, and the technical problem of poor defending performance of the container is solved.
As an alternative embodiment, in response to a container being started, the type of file system used by the container is identified; determining an address interval of a non-mirror layer according to a file system structure corresponding to the file system type, wherein the file system structure is used for representing directory structure characteristics of a file system of the file system type; address intervals of the non-mirrored layer are cached.
In this embodiment, when a process to be started is monitored, the address of the non-mirrored layer is determined in the environment of the current container. The file system type used by the container can be identified, the file system structure corresponding to the file system type can be determined, the address interval of the non-mirror layer can be determined according to the file system structure, in response to the starting of the container, the address of the non-mirror layer obtained by identification can be cached, and the cached address of the non-mirror layer can be used for judging the address of the storage space of the process to be started. The file system types may also be referred to as file system driving types, may include types of container mirroring using a federated file system, may include a stacked file system type (overlay fs), an advanced multi-layer unified file system type (AUFS), a system type supporting copy-on-write (Btrfs), etc., and are only examples herein, and the file system types are not particularly limited. The file system structure may be used to represent directory structure characteristics of a file system of the file system type, which may be determined for directory addresses in the container-based management information.
Alternatively, the container engine type and the file system are different, and the method of determining the address of the readable and writable layer is different. The container engine type may be an open-source application container engine (dock), a daemon engine (daemon), or the like, which is only used herein as an example, and the container engine type is not particularly limited.
Optionally, after the container is started, the readable and writable layer identification module of the container receives the container starting notification and starts working, the readable and writable layer identification module can automatically identify the type of the file system used in the current container, and can calculate and obtain the address interval of the non-mirror layer according to the directory structure characteristic corresponding to the type of the file system, and the readable and writable layer address can be cached and used for subsequent judgment.
In this embodiment, the container readable-writable layer identification module supports operations compatible with multiple operation times and multiple file system types, for example, the container readable-writable layer identification module can support operations of file system types such as docker, containerd, overlayFS, and the container readable-writable layer identification module can acquire file system driving types and structure information by calling a container operation time interface, so as to calculate a readable-writable layer address of a container for caching.
For example, if a dock container engine is used, and an overlay2 file system type container is used: when the container is started, a container identity (Ident ity Document, abbreviated as ID) is generated, according to the container ID information, starting configuration information of the container, such as merge view (merge), mirror layer information, and the like, is queried through an access interface (dockerapi), management information (GraphDriver) about the container can be extracted, and a directory address (upper) in the management information is determined, so that directory structure characteristics of a file system are determined, and a readable and writable layer address (address of a non-mirror layer) of the container can be calculated according to the directory structure characteristics.
As an optional implementation manner, responding to a process starting event triggered by a process to be started in a container, and acquiring an address of a storage space of the process to be started, wherein the process starting event is used for indicating a command for starting the process; it is determined whether the obtained address of the memory space is located in an address interval of a non-mirrored layer of the cache.
In this embodiment, when there is a process to be started, a process start event is triggered, and in response to the process start event triggered by the process to be started in the container, an address of a storage space of the process to be started may be obtained. And judging whether the address of the storage space is positioned in an address interval of a non-mirror layer of the cache. The process start event may be an instruction for starting a process, which is used to indicate that a process is to be started in the container.
Optionally, the process monitoring module of the client may determine whether a process start event is triggered in the container (system) by monitoring an instruction of a system start process, determine an address of a storage space of the process to be started in response to a process start time triggered in the container by the process to be started, and determine whether the obtained address of the storage space is located in an address interval of a cached non-mirror layer based on a judgment made by a pre-cached address interval of the non-mirror layer and the address of the storage space. If the address of the storage space is located in the address interval of the non-mirror layer of the cache, the process to be started can be determined to be a defending object needing defending, and if the address of the storage space is not located in the address interval of the non-mirror layer of the cache, the process to be started can be determined to be a defending object needing not defending, and the process to be started can be released.
As an alternative embodiment, the method may further include blocking the process to be started in the container, including: sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started, and the server is used for recording a log corresponding to the process to be started; and blocking the process to be started from being started in the container in response to a blocking instruction issued by the server based on the blocking request.
In this embodiment, when it is determined that the storage space is a non-mirror layer, it may be determined that the process to be started is a defending object that needs to be defended by the container, then a blocking request may be sent to the server, and in response to a blocking instruction issued by the server based on the blocking request, the process to be started may be blocked from being started in the container, so as to achieve the purpose of blocking the startup of the defending object. The blocking request may be used to request the server to block the process to be started, and may be a request sent by the client to the server. The server may be a server, and may be configured to record a log corresponding to a process to be started.
Optionally, it may be determined whether the storage space is located in a non-mirrored layer of the container, and in response to the storage space being located in the non-mirrored layer, the server may report the storage space to the server, and at the same time, send a blocking request to the server, the server may issue a blocking instruction based on the blocking request, and in response to the blocking instruction issued by the server based on the blocking request, may block a process to be started in the container.
For example, the server may log and issue a blocking instruction to the server when receiving a blocking request sent by the client. The server issues a blocking instruction based on the blocking request, and the process to be started can be blocked from being started in the container in response to the blocking instruction issued by the server based on the blocking request.
As an optional implementation manner, a blocking result for blocking the process to be started from being started in the container is reported to the server, wherein the server is used for updating the defending state of the process to be started based on the blocking result.
In this embodiment, the process to be started in the container may be blocked, the server may obtain a blocking result of the defending object started in the container, and report the blocking result to the server, and the server may update the defending state of the process to be started in the container based on the reported blocking result.
Optionally, the client process monitoring module may continuously monitor an event to be started in the container, and when monitoring the process to be started, the process monitoring module may capture the process to be started and determine a storage space where the process to be started is located in the container and an address of the storage space. The address of the storage space can be compared and analyzed with the address of the readable and writable layer of the container, if the storage space is located in the readable and writable layer (namely, the non-mirror layer) as a judgment result, the storage space can be indicated as a defending object needing to be defended, the storage space can be reported to the server for recording, meanwhile, the server can issue a blocking instruction to the client to kill the defending object so as to block the starting of the process to be started, a blocking result for blocking the starting of the process to be started in the container can be reported to the server, and the server updates the defending state of the process to be started based on the blocking result.
For example, when it is determined that the to-be-started program is an object to be defended, the client may report an event to the server, the server receives an instruction of reporting the event sent by the client, and sends a blocking instruction to the client, and the client responds to the sent blocking instruction to send a process termination signal to the to-be-started process, and the start of the to-be-started process is terminated. The termination result may be sent to the client. The client acquires the termination result of the container process, and can report the blocked execution result (namely the termination result) to the server, and the server responds to the blocked execution result reported by the client to update the defending state of the process to be started.
As an alternative embodiment, the process to be started is started in response to the storage space being located at a mirror layer of the container.
In this embodiment, a process to be started in a monitoring container is obtained, a storage space in which the monitored process to be started is located in the container is determined, whether the storage space is located in a mirror image layer of the container is determined, and in response to the storage space being located in the mirror image layer of the container, it can be determined that the storage space is an object which does not need to be defended, and the storage space can be not blocked, and the process to be started can be started.
As an alternative embodiment, the non-mirrored layer is a readable and writable layer of the container.
In this embodiment, the non-mirrored layer may be a readable and writable layer of the container.
Alternatively, the container may include a read-write layer and a read-only layer, where the process to be started is determined using the property that the creation of the container image is followed by non-alterable. If the storage space where the process to be started is located is a readable and writable layer, the process to be started can be determined to be the process written in by the container in the running process, and possibly the process newly written in after an attacker enters the container by utilizing a vulnerability and other modes, so that a defending object needing to be defended in the container can be accurately determined, and the technical effect of improving the defending performance of the container is achieved.
In the related art, a defending object (such as malicious software) is usually defended through a white list, a large number of normal file hashes are required to be collected and collected, and the defending object which needs to be blocked is determined through comparing the hash of the storage space with the white list hash, however, the method has the problem of incomplete white list content and report omission. In order to solve the problems, the storage space of the process to be started in the container is determined by using the container mirror image, and the defending object needing to be defended is determined, so that the technical effect of improving the defending performance of the container is achieved, and the technical problem of low defending performance of the container is solved.
As an alternative embodiment, the method further comprises: in response to the storage space being different from the mirrored layer of the container, the storage space is determined to be a non-mirrored layer, wherein the mirrored layer stores data used to create the container.
In this embodiment, when the process to be started is monitored, a storage space where the monitored process to be started is located in the container may be determined, an address of the storage space is determined, whether the address of the storage space is the same as an address of the mirror layer is determined, and in response to the address of the storage space being different from the address of the mirror layer, it may be determined that the storage space is the non-mirror layer. Wherein the mirror layer stores data for creating containers.
In the embodiment of the application, whether the storage space is the non-mirror layer can be determined by judging whether the address of the storage space is located in the address interval of the non-mirror layer, or whether the address of the storage space is the same as the address of the mirror layer can be determined, and when the storage space is determined to be located in the non-mirror layer, the process to be started can be defended. That is, the method and the device determine whether the storage space of the process to be started is a non-mirror layer or not through various modes, so that whether the process to be started is a defending object needing defending is determined, the technical effect of improving the defending performance of the container is achieved, and the technical problem that the defending performance of the container is poor is solved.
In the embodiment of the application, when the container is in operation, the process to be started can be determined to be the defending object which needs to defend for the container based on the storage space of the process to be started, and the startup of the defending object is prevented in the container, so that the technical effect of improving the defending performance of the container is achieved, and the technical problem of low defending performance of the container is solved.
The embodiment of the application also provides another process defense method of the container from the client side. Fig. 4 is a flow chart of another method of process defense of a container according to an embodiment of the present application, as shown in fig. 4, which may include the following steps.
In step S402, in response to the container being started, a process to be started in the container is monitored.
In the technical solution provided in step S402 of the present application, after the container is started, the process to be started in the container may be monitored in response to the container being started.
Step S404, determining the storage space of the process to be started in the container.
In step S406, in response to the storage space being located in the non-mirrored layer of the container, a blocking request is sent to the server, where the blocking request is used to request the server to block the process to be started.
In the technical solution provided in step S406 of the present application, the monitored storage space where the process to be started is located in the container is determined, whether the storage space is located in the non-mirror layer of the container is judged, and in response to the storage space being located in the non-mirror layer of the container, a blocking request may be sent to the server. Wherein the blocking request may be used to request the server to block the start of the process to be started.
In step S408, the process to be started is blocked in the container in response to the blocking instruction issued by the server based on the blocking request.
In the technical solution provided in step S408 of the present application, when it is determined that the storage space is located in the non-mirror layer of the container, a blocking request may be sent to the server in response to the storage space being located in the non-mirror layer of the container. The server can issue a blocking instruction to the client based on the blocking request, and the process to be started can be blocked from being started in the container in response to the blocking instruction issued by the server based on the blocking request.
Responding to the starting of the container by the steps S402 to S408, and monitoring a process to be started in the container; determining the monitored storage space of the process to be started in the container; responding to a non-mirror layer of a storage space as a container, and sending a blocking request to a server, wherein a process of the non-mirror layer is used for adjusting a file of the container during the running of the container, and the blocking request is used for requesting the server to block the starting of a process to be started; and responding to a blocking instruction issued by the server based on the blocking request, and blocking the process to be started from being started in the container, thereby realizing the technical effect of improving the defense performance of the container and solving the technical problem of low defense performance of the container.
The embodiment of the application also provides another process defense method of the container from the service side. Fig. 5 is a flow chart of another method of process defense of a container according to an embodiment of the present application, as shown in fig. 5, which may include the following steps.
Step S502, obtaining a blocking request from the client, where the blocking request is generated by the client when a storage space where a process to be started is located in a started container is located in a non-mirror layer of the container, and the blocking request is used for requesting to block the process to be started.
In the technical solution provided in step S502 of the present application, when the storage space where the process to be started is located in the started container is located in the non-mirror layer of the container, the client may generate the blocking request. The server may obtain a blocking request from the client. Wherein the blocking request may be used to request blocking of the start of the process to be started.
In step S504, a blocking instruction is issued to the client in response to the blocking request, where the blocking instruction is used to cause the client to block the process to be started in the container.
In the technical solution provided in step S504, a blocking instruction may be issued to the client in response to the obtained blocking request, and the client may block the start of the process to be started in the container based on the blocking instruction.
Through the steps S502 to S504, a blocking request from the client is obtained, where the blocking request is generated by the client when the storage space where the process to be started is located in the started container is a non-mirror layer of the container, and the blocking request is used for requesting to block the start of the process to be started; and responding to the blocking request, and sending a blocking instruction to the client, wherein the blocking instruction is used for enabling the client to block the process to be started from being started in the container, so that the technical effect of improving the defense performance of the container is realized, and the technical problem of low defense performance of the container is solved.
Example 2
There is further provided, in accordance with an embodiment of the present application, an embodiment of a process defense system of a container, and fig. 6 is a schematic diagram of a process defense system of a container according to an embodiment of the present application, and as shown in fig. 6, a process defense system 600 of a container may include: a client 601 and a server 602.
The client 601 is configured to monitor a process to be started in the container in response to the container starting, and send a blocking request to the server in response to a storage space in the container where the process to be started is located being located in a non-mirror layer of the container.
Alternatively, the client 601 may be configured to snoop on a process to be started within a container in response to the container starting. The client may determine whether the monitored storage space in the container where the process to be started is located in a non-mirror layer of the container, and may send a blocking request to the server in response to the monitored storage space in the container where the process to be started is located in the non-mirror layer of the container.
And the server 602 is configured to issue a blocking instruction to the client in response to the blocking request. The client is used for responding to the blocking instruction and blocking the process to be started in the container.
Alternatively, the server 602 obtains a blocking request, and in response to the blocking request, may issue a blocking instruction to the client, and in response to the blocking instruction, the server may block the process to be started in the container.
In this embodiment, the client 601 may block the process to be started from starting within the container in response to the blocking instruction.
As an alternative embodiment, the client includes: a container readable-writable layer identification module for identifying an address of a readable-writable layer of a container in response to a container start; the container process monitoring module is used for responding to the starting of the container, monitoring a process to be started corresponding to a process starting event in the container, acquiring an address of a storage space of the process to be started, and responding to the address of the storage space being positioned in an address interval of the readable and writable layer, and determining that the storage space is positioned in the readable and writable layer; the process blocking module is used for responding to the blocking instruction and triggering a process blocking signal to the process to be started, wherein the process blocking signal is used for blocking the process to be started in the container.
In this embodiment, the client may include a container readable and writable layer identification module that may be configured to identify an address of a readable and writable layer of the container via the container readable and writable layer identification module in response to a container startup.
Optionally, the client may further include a container process monitoring module, and in response to the container starting, the container monitoring module may monitor a process to be started corresponding to a process starting event in the container, and obtain an address of a storage space of the process to be started. And determining whether the address of the storage space of the process to be started is in the address interval of the readable and writable layer, and determining that the storage space is the readable and writable layer in response to the address of the storage space of the process to be started being positioned in the address interval of the readable and writable layer.
Optionally, the client may further include a process blocking module. After the blocking instruction issued by the server is acquired, a process blocking signal can be triggered to the process to be started in response to the blocking instruction. The process blocking signal may also be referred to as a process terminating signal (e.g., kill signal), and may be used to block a process to be started from starting in the container.
In this embodiment, a process defense system for a container is provided. Monitoring a process to be started in a container by a client in response to the starting of the container, and sending a blocking request to a server in response to the storage space of the process to be started in the container being positioned in a non-mirror layer of the container; sending a blocking instruction to a client by a server in response to a blocking request; the client is used for responding to the blocking instruction and blocking the process to be started in the container, so that the technical effect of improving the defense performance of the container is achieved, and the technical problem of low defense performance of the container is solved.
It should be noted that, user information (including but not limited to user equipment information, user personal information, etc.) and data (including but not limited to data for analysis, stored data, presented data, etc.) referred to in the present application, for example, data for listening to a process to be started in a container are information and data authorized by a user or sufficiently authorized by each party, and the collection, use and processing of related data need to comply with related laws and regulations and standards of related countries and regions, and are provided with corresponding operation entries for the user to select authorization or rejection.
Example 3
At present, a cloud security center (such as situation awareness) can be a server host security management system for identifying, analyzing and early warning security threats in real time, and can help users to realize automatic security operation closed loops for threat detection, response and tracing through security capabilities such as anti-lux, vulnerability scanning repair, anti-virus, tamper-proof and compliance inspection, so that host, local server and container security on the cloud are protected, and the supervision compliance requirement is met. Wherein the container security product is directed to a range of security protection functions that the user's containerized asset may provide. However, the implantation of malware during the runtime phase of a container is a highly frequent hacking activity in security events, which needs to be effectively defended against.
In one embodiment, a method for defending against malicious software by using a white list is provided, which collects a large number of public code libraries and normal and non-malicious executable files in a self-functional environment, and calculates hashes of the files to generate a normal file hash list, which is abbreviated as a white list. When a process is started in a working environment, firstly inquiring whether the process file exists in a white list, and if not, blocking the file from starting. Because the malicious software is usually implanted externally and does not exist in the white list, the effect of defending the malicious software is achieved by intercepting the file starting outside the white list, but the method is used for protecting the white list generated by collecting normal file configuration by a user or developing defending rules, a large number of white lists are needed for achieving a good protecting effect, performance problems are easily caused to influence the starting speed of the normal process of the user, the stability of the process in the running process is influenced, the method is used for collecting a large number of normal files, and due to the fact that the collecting source is incomplete, the operation and maintenance cost of the collecting process is high, the possibility of being mixed by the malicious files possibly exists, the early-stage cost of the protection is high, false alarm and missing alarm situations are easily caused, and the technical problems of limited defending effect, complex operation and the like still exist.
In another embodiment, a method for actively defending malicious software by using expert experience rules during container running is provided, the method writes rules of malicious software, process behaviors and the like according to attack and defense experience through security experts, and the rules are applied to malicious software protection, but the protection effect of the method depends on self configuration of normal file collection by users to generate a white list or develop defending rules, the rules are usually realized by using modes of regularization, feature matching and the like, the performance is influenced when the rules are more, and the technical problems of misinformation and missing report, limited defending effect, complex operation and the like still exist.
Further, the method solves the problem that the container is invaded and implanted with malicious software such as Trojan horse in the operation process, is different from the method relying on a large number of expert experience rules and massive file whitelists in the traditional safety solution, and solves the problem of missing report risks and performance caused by rule or whitelist insufficiency.
In the embodiment of the application, according to the principle that a container is written once and runs everywhere, to ensure the consistency of the environment, the basic software required by the container in running is already contained in the container mirror image, and the software is not installed and modified in the running process. Based on this precondition, when a program start-up from outside the image occurs during the running of the container, it can be determined that the program belongs to abnormal software, for example, a hacker can be implanted with malicious software such as Trojan horse. Therefore, in the embodiment of the application, in the running process of the container, the non-mirror program is identified and blocked, so that the aim of detecting and defending against the starting of the malicious software is fulfilled, and the technical effect of actively defending against the malicious software is further achieved.
The above method is further described below.
FIG. 7 is a flow chart of a method of proactively defending against malware according to embodiments of the present application, as shown in FIG. 7, which may include the following steps.
In step S701, the container is started.
In this embodiment, the client may include a container readable and writable layer identification module, an in-container process start event listening module, a process blocking module, and the like. The monitoring module of the process starting time in the container can comprise a monitoring state, and when the process is started in the container, the module can capture the process starting time.
Alternatively, the server may include a blocking instruction issuing module, a server module (which may also be referred to as a server), a container process initiation listening module, and the like.
Optionally, after the container is started, the container readable-writable layer identification module receives the container starting notification and starts working.
In step S702, the client monitors all process start events in the container, and captures a process to be started.
In this embodiment, the client process monitoring module continuously monitors the process start event in the container, and when the event occurs, the process to be started can be captured through the module.
Optionally, the client process monitoring module is started after the container is started, and enters a monitoring state, and when a process starting event is started on the container, the client process monitoring module can automatically capture the process starting event.
For example, the process monitoring module of the client may determine that a process starting event occurs in the container (system) by monitoring an instruction of the system to start a process, capture a process to be started, and continuously monitor the container.
In step S703, the client identifies and caches the address of the readable and writable layer of the container.
In this embodiment, after the container is started, the readable and writable layer identification module of the container receives the container start notification and starts working, where the module can automatically identify the type of the file system used in the current container environment, and calculate, according to the directory structure feature of the file system type, the readable and writable layer address of the container, where the readable and writable layer address can be cached and used for subsequent judgment. The file system types may include, for example only, types of container images that use federated file systems, may include stacked file system types, advanced multi-tier unified file system types, system types that support copy-on-write, and the like, and are not particularly limited herein.
Alternatively, the container engine type and the file system type are different, and the method of determining the address of the readable and writable layer is different. The container engine type may be an open-source application container engine, daemon engine, etc., which is only used herein as an example, and the container engine type is not particularly limited.
In this embodiment, the container read-write layer identification module supports compatibility with multiple runtime and multiple file system types, and fig. 8 is a schematic diagram of a container read-write layer identification module according to an embodiment of the present application, where, as shown in fig. 8, the container read-write layer identification module may support file system types such as docker, containerd, overlayFS.
As shown in fig. 8, the container readable-writable layer identification module obtains the file system driving type and the structure information by calling the container runtime interface, so as to calculate the readable-writable layer address of the container for caching.
For example, as shown in fig. 8, if a container engine of interface a (dock interface) is used, and a file system type D (e.g., overlay2 file system type) or a file system type E (e.g., aufs file system type) is used: when the container is started, container ID information is generated, according to the container ID information, starting configuration information of the container, such as view information (merge view), mirror layer information (lower layer), readable and writable layer information, and the like, is queried through an access interface, management information about the container can be extracted from the container, and a readable and writable layer address of the container is obtained based on a directory address in the management information.
As another example, as shown in fig. 8, if a container engine of interface B (container interface) is used, and a file system type D (e.g., overlay2 file system type) is used: when the container is started, container ID information is generated, according to the container ID information, starting configuration information of the container, such as view information (merge view), mirror layer information (lower layer), readable and writable layer information, and the like, is queried through an access interface, management information about the container can be extracted from the container, and a readable and writable layer address of the container is obtained based on a directory address in the management information.
As yet another alternative example, as shown in fig. 8, if a container engine of interface C (overlay 2 interface) is used, and file system type D is used: when the container is started, container ID information is generated, according to the container ID information, starting configuration information of the container, such as view information (merge view), mirror layer information (lower layer), readable and writable layer information, and the like, is queried through an access interface, management information about the container can be extracted from the container, and a readable and writable layer address of the container is obtained based on a directory address in the management information.
Step S704, reading the address of the readable and writable layer and judging the process to be started.
In this embodiment, the address of the readable and writable layer of the cached container may be read, and the client determines the storage space of the process file to be started (to be started process for short), and determines whether the process file is located on the readable and writable layer of the container, if not, step S706 may be implemented, and if located on the readable and writable layer of the container, step S705 may be implemented in real time.
Step S705, releasing the process to be started.
In this embodiment, the client determines the storage space of the process to be started, and if the storage space of the process to be started is not located in the container readable-writable layer, the client may perform a release operation on the process file.
Step S706, report the process to be started.
In this embodiment, the client may determine the storage space of the process to be started, determine whether the storage space of the process to be started is located in the container readable-writable layer, and if so, report the process to be started to the server.
Optionally, the client process monitoring module may continuously monitor a process starting event in the container, when the event occurs, the module captures a process to be started, obtains an address stored in a file of the process to be started, and performs comparison analysis on the address and a readable-writable layer address of the container, if the process file is located in the readable-writable layer of the container, it may be indicated that the process is a defending object to be defended, and the process needs to be reported to the server for recording, and meanwhile, the server needs to issue a blocking instruction to the client to kill the process and block the continuous running of the process; if not, the process to be started is not an event needing attention, and the process can be directly released without reporting, and the process can be started normally.
In step S707, the server issues a blocking instruction.
In this embodiment, the server receives the event reported by the client, logs the event and issues a blocking instruction to the client.
In step S708, the client receives the blocking instruction and terminates the start of the process to be started.
In this embodiment, the client receives the blocking instruction from the server, and the process blocking module may block the process to be started from starting by sending a termination signal, so as to complete the process defense function.
Alternatively, the process monitor module may continue to monitor for process start events and loop through the process described above.
Fig. 9 is a flowchart of a container process blocking process according to an embodiment of the present application, as shown in fig. 9, which may include the following steps.
Step S901, reporting an event.
Alternatively, the client 902 may report an event to the server 901 when determining that the storage space of the program to be started is an object that needs to be defended.
Step S902, issuing a blocking instruction.
In this embodiment, the server 901 receives an instruction of reporting an event sent by the client 902, and sends a blocking instruction to the client 902.
Step S903, update the status.
Alternatively, the server 901 may update the state in the server 901 in response to the presence of a defending object that needs to be defended.
Step S904, a blocking instruction is acquired and a process terminating signal is initiated.
In this embodiment, a client 902 signals a terminating process to a container process 903 (which may be a process to be started in a container) in response to a blocking instruction issued by a server 901.
In step S905, a termination signal is received and the process is terminated.
In this embodiment, the container process may accept a termination signal from the client, and in response to the termination signal, the process to be started in the container is terminated.
Step S906, the execution result is obtained and reported.
In this embodiment, the execution result of the terminating process may be sent to the client 902, and the client 902 obtains the execution result of the process to be started and reports the blocked execution result to the server 901.
Step S907, obtain the blocking execution result and update the status.
The server 901 may update the status of the container in the server 901 in response to the blocking execution result reported by the client 902.
Alternatively, the container image is a template for creating a container instance, containing the application code, dependency library, configuration, etc. information needed to create the container. The container image is immutable after creation. These programs are all located at the read-only layer of the container. Created by the user himself, can generally be considered trusted. After the container is started, the program written in the running process is installed and does not belong to a mirror image, and the newly written process to be started is positioned on a readable and writable layer of the container. Because the hacking usually occurs in the running stage of the container, an attacker enters the container by means of holes and the like and installs malicious software such as Trojan, and the programs do not belong to user images, the defending non-mirror programs provided by the embodiment of the application can achieve the effect of actively defending the malicious software.
In the embodiment of the application, unlike the method for defending the white list against the malicious software, a large number of normal file hashes do not need to be collected and acquired, process files do not need to be compared with the white list hashes, and the problems of missing report caused by incomplete collection and loss generated in the hash calculation and comparison process are avoided. Meanwhile, the embodiment of the application does not depend on expert experience rules, and the solution thought for defending against non-mirror program starting is summarized according to the functional characteristics of the container, namely, the solution thought for stopping program starting which does not belong to the mirror image of the container is blocked, so that the technical effect of improving the defending performance of the container is achieved, and the technical problem of low defending performance of the container is solved.
Example 4
According to an embodiment of the present application, there is also provided a process defense device for a container for implementing the process defense method for a container shown in fig. 3.
Fig. 10 is a schematic diagram of a process defense device of a container according to an embodiment of the present application, and as shown in fig. 10, a process defense device 1000 of the container may include: a first listening unit 1002, a first determining unit 1004, and a second determining unit 1006.
The first monitor unit 1002 is configured to monitor, in response to the container being started, a process to be started in the container.
A first determining unit 1004 is configured to determine a storage space in which a process to be started is located in the container.
A second determining unit 1006 is configured to block the process to be started in the container in response to the storage space being located in the non-mirrored layer of the container.
Here, it should be noted that the first listening unit 1002, the first determining unit 1004, and the second determining unit 1006 correspond to steps S302 to S308 in embodiment 1, and the four units are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 1. It should be noted that the above-mentioned units may be hardware components or software components stored in a memory (for example, the memory 104) and processed by one or more processors (for example, the processors 102a,102b … …,102 n), or the above-mentioned units may be part of an apparatus and may be run in the computer terminal 10 provided in embodiment 1.
According to an embodiment of the present application, there is also provided a process defense device for a container for implementing the process defense method for a container shown in fig. 4.
Fig. 11 is a schematic diagram of another process defense device of a container according to an embodiment of the present application, and as shown in fig. 11, a process defense device 1100 of the container may include: a second listening unit 1102, a third determining unit 1104, a transmitting unit 1106 and a blocking unit 1108.
And the second monitoring unit 1102 is configured to monitor a process to be started in the container in response to the container start.
A third determining unit 1104 is configured to determine a storage space in which the process to be started is located in the container.
And a sending unit 1106, configured to send a blocking request to the server in response to the storage space being located in a non-mirrored layer that is a container, where the blocking request is used to request the server to block a process to be started.
And the blocking unit 1108 is configured to block the process to be started in the container in response to a blocking instruction issued by the server based on the blocking request.
Here, it should be noted that the second listening unit 1102, the third determining unit 1104, the transmitting unit 1106, and the blocking unit 1108 correspond to steps S402 to S408 in embodiment 1, and the four units are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 1. It should be noted that the above-mentioned units may be hardware components or software components stored in a memory (for example, the memory 104) and processed by one or more processors (for example, the processors 102a,102b … …,102 n), or the above-mentioned units may be part of an apparatus and may be run in the computer terminal 10 provided in embodiment 1.
According to an embodiment of the present application, there is also provided a process defense device for a container for implementing the process defense method for a container shown in fig. 5.
Fig. 12 is a schematic diagram of another process defense device of a container according to an embodiment of the present application, and as shown in fig. 12, a process defense device 1200 of the container may include: an acquisition unit 1202 and a delivery unit 1204.
An obtaining unit 1202, configured to obtain a blocking request from a client, where the blocking request is generated by the client when a storage space where a process to be started is located in a started container is located in a non-mirror layer of the container, and the blocking request is used to request to block the process to be started.
And the issuing unit 1204 is configured to issue a blocking instruction to the client in response to the blocking request, where the blocking instruction is used to cause the client to block the process to be started in the container.
Here, the acquiring unit 1202 and the issuing unit 1204 correspond to steps S502 to S506 in embodiment 1, and the two units are the same as the examples and application scenarios implemented by the corresponding steps, but are not limited to those disclosed in embodiment 1. It should be noted that the above-mentioned units may be hardware components or software components stored in a memory (for example, the memory 104) and processed by one or more processors (for example, the processors 102a,102b … …,102 n), or the above-mentioned units may be part of an apparatus and may be run in the computer terminal 10 provided in embodiment 1.
In the process defense device of the container, when the process to be started from the non-mirror layer occurs during the operation of the container, the process to be started can be determined to be a defending object which needs to be defended for the container based on the storage space of the process to be started, and the startup of the defending object is prevented in the container, so that the technical effect of improving the defending performance of the container is achieved, and the technical problem of low defending performance of the container is solved.
Example 5
Embodiments of the present application may provide a computer terminal, which may be any one of a group of computer terminals. Alternatively, in the present embodiment, the above-described computer terminal may be replaced with a terminal device such as a mobile terminal.
Alternatively, in this embodiment, the above-mentioned computer terminal may be located in at least one network device among a plurality of network devices of the computer network.
In this embodiment, the computer terminal may execute the program code of the following steps in the process defense method of the container: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container.
Alternatively, fig. 13 is a block diagram of a computer terminal according to an embodiment of the present application. As shown in fig. 13, the computer terminal a may include: one or more (only one is shown) processors 1302, memory 1304, and transmission means 1306.
The memory may be used to store software programs and modules, such as program instructions/modules corresponding to the process defense method and apparatus of the container in the embodiments of the present application, and the processor executes the software programs and modules stored in the memory, thereby executing various functional applications and data processing, that is, implementing the process defense method of the container. The memory may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some examples, the memory may further include memory remotely located with respect to the processor, which may be connected to terminal a through a network. Examples of such networks include, but are not limited to, the internet, intranets, local area networks, mobile communication networks, and combinations thereof.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container.
Optionally, the above processor may further execute program code for: and determining that the storage space is located in the non-mirrored layer in response to the address of the storage space being located in an address interval of the non-mirrored layer.
Optionally, the above processor may further execute program code for: identifying a file system type used by the container in response to the container starting; determining an address interval of a non-mirror layer according to a file system structure corresponding to the file system type, wherein the file system structure is used for representing directory structure characteristics of a file system of the file system type; address intervals of the non-mirrored layer are cached.
Optionally, the above processor may further execute program code for: responding to a process starting event triggered by a process to be started in a container, and acquiring an address of a storage space of the process to be started, wherein the process starting event is used for indicating a process starting instruction; it is determined whether the obtained address of the memory space is located in an address interval of a non-mirrored layer of the cache.
Optionally, the above processor may further execute program code for: sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started, and the server is used for recording a log corresponding to the process to be started; and blocking the process to be started from being started in the container in response to a blocking instruction issued by the server based on the blocking request.
Optionally, the above processor may further execute program code for: and reporting a blocking result for blocking the starting of the process to be started in the container to a server, wherein the server is used for updating the defending state of the process to be started based on the blocking result.
Optionally, the above processor may further execute program code for: and starting the process to be started in response to the storage space being located in the mirror layer of the container.
Optionally, the above processor may further execute program code for: in response to the storage space being different from the mirrored layer of the container, the storage space is determined to be a non-mirrored layer, wherein the mirrored layer stores data used to create the container.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; responding to the storage space being positioned in a non-mirror layer which is a container, sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started; and blocking the process to be started in the container in response to a blocking instruction issued by the server based on the blocking request.
The processor may call the information and the application program stored in the memory through the transmission device to perform the following steps: obtaining a blocking request from a client, wherein the blocking request is generated by the client when a storage space of a process to be started in a started container is positioned at a non-mirror layer of the container, and the blocking request is used for requesting to block the process to be started; and responding to the blocking request, and sending a blocking instruction to the client, wherein the blocking instruction is used for enabling the client to block the process to be started in the container.
By adopting the embodiment of the application, a process defense method of the container is provided. In the embodiment of the application, when the process to be started, which is derived from the non-mirror layer, occurs during the operation of the container, the process to be started can be determined to be a defending object which needs to be defended for the container based on the storage space of the process to be started, and the startup of the defending object is prevented in the container, so that the technical effect of improving the defending performance of the container is achieved, and the technical problem of low defending performance of the container is solved.
It will be appreciated by those skilled in the art that the structure shown in fig. 13 is only illustrative, and the computer terminal a may be a terminal device such as a smart phone (e.g. an Android phone, an iOS phone, etc.), a tablet computer, a palm computer, a mobile internet device (Mobile Internet Devices, MID), a PAD, etc. Fig. 13 does not limit the structure of the computer terminal a. For example, the computer terminal a may also include more or fewer components (such as a network interface, a display device, etc.) than shown in fig. 13, or have a different configuration than shown in fig. 13.
Those of ordinary skill in the art will appreciate that all or part of the steps in the various methods of the above embodiments may be implemented by a program for instructing a terminal device to execute in association with hardware, the program may be stored in a computer readable storage medium, and the storage medium may include: flash disk, read-Only Memory (ROM), random-access Memory (Random Access Memory, RAM), magnetic or optical disk, and the like.
Example 6
Embodiments of the present application also provide a computer-readable storage medium. Alternatively, in this embodiment, the computer-readable storage medium may be used to store program code executed by the authentication method for data provided in the first embodiment.
Alternatively, in this embodiment, the above-mentioned computer-readable storage medium may be located in any one of the computer terminals in the computer terminal group in the computer network, or in any one of the mobile terminals in the mobile terminal group.
Optionally, in the present embodiment, the computer readable storage medium is configured to store program code for performing the steps of: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; in response to the storage space being at a non-mirrored layer of the container, the process to be started is blocked within the container.
Optionally, the above computer readable storage medium may further execute program code for: and determining that the storage space is located in the non-mirrored layer in response to the address of the storage space being located in an address interval of the non-mirrored layer.
Optionally, the above computer readable storage medium may further execute program code for: identifying a file system type used by the container in response to the container starting; determining an address interval of a non-mirror layer according to a file system structure corresponding to the file system type, wherein the file system structure is used for representing directory structure characteristics of a file system of the file system type; address intervals of the non-mirrored layer are cached.
Optionally, the above computer readable storage medium may further execute program code for: responding to a process starting event triggered by a process to be started in a container, and acquiring an address of a storage space of the process to be started, wherein the process starting event is used for indicating a process starting instruction; it is determined whether the obtained address of the memory space is located in an address interval of a non-mirrored layer of the cache.
Optionally, the above computer readable storage medium may further execute program code for: sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started, and the server is used for recording a log corresponding to the process to be started; and blocking the process to be started from being started in the container in response to a blocking instruction issued by the server based on the blocking request.
Optionally, the above computer readable storage medium may further execute program code for: and reporting a blocking result for blocking the starting of the process to be started in the container to a server, wherein the server is used for updating the defending state of the process to be started based on the blocking result.
Optionally, the above computer readable storage medium may further execute program code for: and starting the process to be started in response to the storage space being located in the mirror layer of the container.
Optionally, the above computer readable storage medium may further execute program code for: in response to the storage space being different from the mirrored layer of the container, the storage space is determined to be a non-mirrored layer, wherein the mirrored layer stores data used to create the container.
As an alternative example, the computer readable storage medium is arranged to store program code for performing the steps of: monitoring a process to be started in the container in response to the starting of the container; determining a storage space of a process to be started in a container; responding to the storage space being positioned in a non-mirror layer which is a container, sending a blocking request to a server, wherein the blocking request is used for requesting the server to block a process to be started; and blocking the process to be started in the container in response to a blocking instruction issued by the server based on the blocking request.
As an alternative example, the computer readable storage medium is arranged to store program code for performing the steps of: obtaining a blocking request from a client, wherein the blocking request is generated by the client when a storage space of a process to be started in a started container is positioned at a non-mirror layer of the container, and the blocking request is used for requesting to block the process to be started; and responding to the blocking request, and sending a blocking instruction to the client, wherein the blocking instruction is used for enabling the client to block the process to be started in the container.
Example 7
Embodiments of the present application may provide an electronic device that may include a memory and a processor.
Fig. 14 is a block diagram of an electronic device of a process defense method of a container according to an embodiment of the present application. Electronic devices are intended to represent various forms of digital computers, such as laptops, desktops, workstations, personal digital assistants, servers, blade servers, mainframes, and other appropriate computers. The electronic device may also represent various forms of mobile devices, such as personal digital processing, cellular telephones, smartphones, wearable devices, and other similar computing devices. The components shown herein, their connections and relationships, and their functions, are meant to be exemplary only, and are not meant to limit implementations of the application described and/or claimed herein.
As shown in fig. 14, the apparatus 1400 includes a computing unit 1401 that can perform various appropriate actions and processes according to a computer program stored in a Read Only Memory (ROM) 1402 or a computer program loaded from a storage unit 1408 into a Random Access Memory (RAM) 1403. In the RAM1403, various programs and data required for the operation of the device 1400 can also be stored. The computing unit 1401, the ROM1402, and the RAM1403 are connected to each other through a bus 1404. An input/output (I/O) interface 1405 is also connected to the bus 1404.
Various components in device 1400 are connected to I/O interface 1405, including: an input unit 1406 such as a keyboard, a mouse, or the like; an output unit 1404 such as various types of displays, speakers, and the like; a storage unit 1408 such as a magnetic disk, an optical disk, or the like; and a communication unit 1409 such as a network card, a modem, a wireless communication transceiver, and the like. The communication unit 1409 allows the device 1400 to exchange information/data with other devices through a computer network such as the internet and/or various telecommunications networks.
The computing unit 1401 may be a variety of general and/or special purpose processing components having processing and computing capabilities. Some examples of computing unit 1401 include, but are not limited to, a Central Processing Unit (CPU), a Graphics Processing Unit (GPU), various specialized Artificial Intelligence (AI) computing chips, various computing units running machine learning model algorithms, a Digital Signal Processor (DSP), and any suitable processor, controller, microcontroller, etc. The computing unit 1401 performs the respective methods and processes described above, for example, a process defense method of a container. For example, in some embodiments, the process defense method of the container may be implemented as a computer software program tangibly embodied on a machine-readable medium, such as storage unit 1408. In some embodiments, part or all of the computer program may be loaded and/or installed onto the device 1400 via the ROM1402 and/or the communication unit 1409. When a computer program is loaded into the RAM1403 and executed by the computing unit 1401, one or more steps of the process defense method of the container described above can be performed. Alternatively, in other embodiments, computing unit 1401 may be configured to perform the process defense method of the container in any other suitable way (e.g. by means of firmware).
Various implementations of the systems and techniques described here above may be implemented in digital electronic circuitry, integrated circuit systems, field Programmable Gate Arrays (FPGAs), application Specific Integrated Circuits (ASICs), application Specific Standard Products (ASSPs), systems On Chip (SOCs), complex Programmable Logic Devices (CPLDs), computer hardware, firmware, software, and/or combinations thereof. These various embodiments may include: implemented in one or more computer programs, the one or more computer programs may be executed and/or interpreted on a programmable system including at least one programmable processor, which may be a special purpose or general-purpose programmable processor, that may receive data and instructions from, and transmit data and instructions to, a storage system, at least one input device, and at least one output device.
Program code for carrying out methods of the present application may be written in any combination of one or more programming languages. These program code may be provided to a processor or controller of a general purpose computer, special purpose computer, or other programmable data processing apparatus such that the program code, when executed by the processor or controller, causes the functions/operations specified in the flowchart and/or block diagram to be implemented. The program code may execute entirely on the machine, partly on the machine, as a stand-alone software package, partly on the machine and partly on a remote machine or entirely on the remote machine or server.
In the context of this application, a machine-readable medium may be a tangible medium that can contain, or store a program for use by or in connection with an instruction execution system, apparatus, or device. The machine-readable medium may be a machine-readable signal medium or a machine-readable storage medium. The machine-readable medium may include, but is not limited to, an electronic, magnetic, optical, electromagnetic, infrared, or semiconductor system, apparatus, or device, or any suitable combination of the foregoing. More specific examples of a machine-readable storage medium would include an electrical connection based on one or more wires, a portable computer diskette, a hard disk, a Random Access Memory (RAM), a read-only memory (ROM), an erasable programmable read-only memory (EPROM or flash memory), an optical fiber, a portable compact disc read-only memory (CD-ROM), an optical storage device, a magnetic storage device, or any suitable combination of the foregoing.
To provide for interaction with a user, the systems and techniques described here can be implemented on a computer having: other types of devices may also be used to provide interaction with a user, for example, feedback provided to the user may be any form of sensory feedback (e.g., visual feedback, auditory feedback, or tactile feedback), and input from the user may be received in any form (including acoustic input, speech input, or tactile input).
The systems and techniques described here can be implemented in a computing system that includes a background component (e.g., as a data server), or that includes a middleware component (e.g., an application server), or that includes a front-end component (e.g., a user computer having a graphical user interface or a web browser through which a user can interact with an implementation of the systems and techniques described here), or any combination of such background, middleware, or front-end components. The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include: local Area Networks (LANs), wide Area Networks (WANs), and the internet.
The computer system may include a client and a server. The client and server are typically remote from each other and typically interact through a communication network. The relationship of client and server arises by virtue of computer programs running on the respective computers and having a client-server relationship to each other. The server may be a cloud server, a server of a distributed system, or a server incorporating a blockchain.
It should be noted that, the foregoing embodiment numbers are merely for describing the embodiments, and do not represent the advantages and disadvantages of the embodiments.
In the foregoing embodiments of the present application, the descriptions of the embodiments are emphasized, and for a portion of this disclosure that is not described in detail in this embodiment, reference is made to the related descriptions of other embodiments.
In the several embodiments provided in the present application, it should be understood that the disclosed technology content may be implemented in other manners. The above-described embodiments of the apparatus are merely exemplary, and are merely a logical functional division, and there may be other manners of dividing the apparatus in actual implementation, for example, multiple units or components may be combined or integrated into another system, or some features may be omitted, or not performed. Alternatively, the coupling or direct coupling or communication connection shown or discussed with each other may be through some interfaces, units or modules, or may be in electrical or other forms.
The units described as separate units may or may not be physically separate, and units shown as units may or may not be physical units, may be located in one place, or may be distributed over a plurality of network units. Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of this embodiment.
In addition, each functional unit in each embodiment of the present application may be integrated in one processing unit, or each unit may exist alone physically, or two or more units may be integrated in one unit. The integrated units may be implemented in hardware or in software functional units.
The integrated units, if implemented in the form of software functional units and sold or used as stand-alone products, may be stored in a computer readable storage medium. Based on such understanding, the technical solution of the present application may be embodied in essence or a part contributing to the prior art or all or part of the technical solution, in the form of a software product stored in a storage medium, including several instructions to cause a computer device (which may be a personal computer, a server or a network device, etc.) to perform all or part of the steps of the methods of the embodiments of the present application. And the aforementioned storage medium includes: a U-disk, a Read-Only Memory (ROM), a random access Memory (RAM, random Access Memory), a removable hard disk, a magnetic disk, or an optical disk, or other various media capable of storing program codes.
The foregoing is merely a preferred embodiment of the present application and it should be noted that modifications and adaptations to those skilled in the art may be made without departing from the principles of the present application and are intended to be comprehended within the scope of the present application.

Claims (14)

1. A method of protecting a container from a process, comprising:
responding to the starting of a container, and monitoring a process to be started in the container;
determining a storage space of the process to be started in the container;
and blocking the process to be started in the container in response to the storage space being located in a non-mirror layer of the container.
2. The method according to claim 1, wherein the method further comprises:
and determining that the storage space is positioned in the non-mirror layer in response to the address of the storage space being positioned in the address interval of the non-mirror layer.
3. The method according to claim 2, wherein the method further comprises:
identifying a file system type used by the container in response to the container starting;
determining an address interval of the non-mirror layer according to a file system structure corresponding to the file system type, wherein the file system structure is used for representing directory structure characteristics of a file system of the file system type;
And caching the address interval of the non-mirror layer.
4. A method according to claim 3, characterized in that the method further comprises:
responding to a process starting event triggered by the process to be started in the container, and acquiring an address of a storage space of the process to be started, wherein the process starting event is used for indicating a process starting instruction;
and determining whether the acquired address of the storage space is positioned in the address interval of the non-mirror layer of the cache.
5. The method of claim 1, wherein blocking the process to be started within the container comprises:
sending a blocking request to a server, wherein the blocking request is used for requesting the server to block the process to be started, and the server is used for recording a log corresponding to the process to be started;
and responding to a blocking instruction issued by the server based on the blocking request, and blocking the process to be started from being started in the container.
6. The method of claim 5, wherein the method further comprises:
and reporting a blocking result for blocking the process to be started from being started in the container to the server, wherein the server is used for updating the defending state of the process to be started based on the blocking result.
7. The method according to any one of claims 1 to 6, further comprising:
and starting the process to be started in response to the storage space being located in the mirror layer of the container.
8. The method of any one of claims 1 to 6, wherein the non-mirrored layer is a readable-writable layer of the container.
9. The method according to any one of claims 1 to 6, further comprising:
and determining the storage space as the non-mirrored layer in response to the storage space being different from the mirrored layer of the container, wherein the mirrored layer stores data for creating the container.
10. A method of protecting a container from a process, comprising:
responding to the starting of a container, and monitoring a process to be started in the container;
determining a storage space of the process to be started in the container;
responding to the storage space being positioned in a non-mirror layer which is the container, sending a blocking request to a server, wherein the blocking request is used for requesting the server to block the process to be started;
and responding to a blocking instruction issued by the server based on the blocking request, and blocking the process to be started in the container.
11. A method of protecting a container from a process, comprising:
obtaining a blocking request from a client, wherein the blocking request is generated by the client when a storage space of a process to be started in a started container is positioned at a non-mirror layer of the container, and the blocking request is used for requesting to block the process to be started;
and responding to the blocking request, and sending a blocking instruction to the client, wherein the blocking instruction is used for enabling the client to block the process to be started in the container.
12. A process defense system for a container, comprising: a client and a server, wherein,
the client is used for responding to the starting of the container, monitoring a process to be started in the container, and sending a blocking request to the server in response to the fact that a storage space of the process to be started in the container is located in a non-mirror layer of the container;
the server is used for responding to the blocking request and sending a blocking instruction to the client;
and the client is used for responding to the blocking instruction and blocking the process to be started in the container.
13. The system of claim 12, wherein the client comprises:
a container readable-writable layer identification module for identifying an address of a readable-writable layer of the container in response to the container being started;
a container process monitoring module, configured to monitor, in response to the container start, the process to be started corresponding to a process start event in the container, and obtain an address of a storage space of the process to be started, and determine, in response to the address of the storage space being located in an address interval of the readable and writable layer, that the storage space is located in the readable and writable layer;
and the process blocking module is used for responding to the blocking instruction and triggering a process blocking signal to the process to be started, wherein the process blocking signal is used for blocking the process to be started in the container.
14. An electronic device, comprising:
a memory storing an executable program;
a processor for executing the program, wherein the program when run performs the method of any of claims 1 to 11.
CN202310418395.6A 2023-04-14 2023-04-14 Container progress defense method, system and electronic equipment Pending CN116302362A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202310418395.6A CN116302362A (en) 2023-04-14 2023-04-14 Container progress defense method, system and electronic equipment

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202310418395.6A CN116302362A (en) 2023-04-14 2023-04-14 Container progress defense method, system and electronic equipment

Publications (1)

Publication Number Publication Date
CN116302362A true CN116302362A (en) 2023-06-23

Family

ID=86827169

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202310418395.6A Pending CN116302362A (en) 2023-04-14 2023-04-14 Container progress defense method, system and electronic equipment

Country Status (1)

Country Link
CN (1) CN116302362A (en)

Similar Documents

Publication Publication Date Title
CA3006003C (en) Dual memory introspection for securing multiple network endpoints
KR101535502B1 (en) System and method for controlling virtual network including security function
US9117080B2 (en) Process evaluation for malware detection in virtual machines
EP3014447B1 (en) Techniques for detecting a security vulnerability
KR101626424B1 (en) System and method for virtual machine monitor based anti-malware security
US8910238B2 (en) Hypervisor-based enterprise endpoint protection
US9087199B2 (en) System and method for providing a secured operating system execution environment
CN110851241A (en) Safety protection method, device and system for Docker container environment
US20150101049A1 (en) Complex Scoring for Malware Detection
US10715554B2 (en) Translating existing security policies enforced in upper layers into new security policies enforced in lower layers
US10769275B2 (en) Systems and methods for monitoring bait to protect users from security threats
CN111324891A (en) System and method for container file integrity monitoring
CN104866407A (en) Monitoring system and method in virtual machine environment
US11113389B1 (en) Systems and methods for providing persistent visual warnings for application launchers
CN116302362A (en) Container progress defense method, system and electronic equipment
CN115879064A (en) Program running method and device, processor, chip and electronic equipment
CN111177726B (en) System vulnerability detection method, device, equipment and medium
CN113504971B (en) Security interception method and system based on container
CN115470479A (en) Authority control method of application program, electronic device and storage medium
CN116566633A (en) Attack behavior defending method, device, equipment and storage medium
CN112905300A (en) Trusted starting method and system for virtual machine
CN117494110A (en) Code detection method and related system
CN116992479A (en) Process processing method, device, equipment, storage medium and program product

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination