CN117407118A - Container operation control method, device, electronic equipment and readable storage medium - Google Patents
Container operation control method, device, electronic equipment and readable storage medium Download PDFInfo
- Publication number
- CN117407118A CN117407118A CN202210806756.XA CN202210806756A CN117407118A CN 117407118 A CN117407118 A CN 117407118A CN 202210806756 A CN202210806756 A CN 202210806756A CN 117407118 A CN117407118 A CN 117407118A
- Authority
- CN
- China
- Prior art keywords
- container
- file
- target container
- operation event
- target
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 295
- 230000008569 process Effects 0.000 claims abstract description 222
- 238000012544 monitoring process Methods 0.000 claims abstract description 85
- 230000002265 prevention Effects 0.000 claims abstract description 58
- 238000011217 control strategy Methods 0.000 claims abstract description 53
- 230000015654 memory Effects 0.000 claims description 27
- 230000000903 blocking effect Effects 0.000 claims description 20
- 238000004891 communication Methods 0.000 claims description 19
- 230000006870 function Effects 0.000 claims description 11
- 230000007246 mechanism Effects 0.000 claims description 11
- 230000004044 response Effects 0.000 claims description 11
- 230000007123 defense Effects 0.000 abstract description 12
- 230000006399 behavior Effects 0.000 description 6
- 238000004458 analytical method Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 230000004048 modification Effects 0.000 description 4
- 238000012986 modification Methods 0.000 description 4
- 238000012545 processing Methods 0.000 description 4
- 238000001514 detection method Methods 0.000 description 3
- 238000010801 machine learning Methods 0.000 description 3
- 230000008859 change Effects 0.000 description 2
- 238000012217 deletion Methods 0.000 description 2
- 230000037430 deletion Effects 0.000 description 2
- 238000005516 engineering process Methods 0.000 description 2
- 230000002093 peripheral effect Effects 0.000 description 2
- 239000007787 solid Substances 0.000 description 2
- 230000001360 synchronised effect Effects 0.000 description 2
- 238000012549 training Methods 0.000 description 2
- 241000700605 Viruses Species 0.000 description 1
- 230000002159 abnormal effect Effects 0.000 description 1
- 230000005856 abnormality Effects 0.000 description 1
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000010276 construction Methods 0.000 description 1
- 230000006378 damage Effects 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000000802 evaporation-induced self-assembly Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000003672 processing method Methods 0.000 description 1
Classifications
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3003—Monitoring arrangements specially adapted to the computing system or computing system component being monitored
- G06F11/301—Monitoring arrangements specially adapted to the computing system or computing system component being monitored where the computing system is a virtual computing platform, e.g. logically partitioned systems
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F11/00—Error detection; Error correction; Monitoring
- G06F11/30—Monitoring
- G06F11/3051—Monitoring arrangements for monitoring the configuration of the computing system or of the computing system component, e.g. monitoring the presence of processing resources, peripherals, I/O links, software programs
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/50—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
- G06F21/52—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow
- G06F21/53—Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems during program execution, e.g. stack integrity ; Preventing unwanted data erasure; Buffer overflow by executing in a restricted environment, e.g. sandbox or secure virtual machine
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45587—Isolation or security of virtual machine instances
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F9/00—Arrangements for program control, e.g. control units
- G06F9/06—Arrangements for program control, e.g. control units using stored programs, i.e. using an internal store of processing equipment to receive or retain programs
- G06F9/44—Arrangements for executing specific programs
- G06F9/455—Emulation; Interpretation; Software simulation, e.g. virtualisation or emulation of application or operating system execution engines
- G06F9/45533—Hypervisors; Virtual machine monitors
- G06F9/45558—Hypervisor-specific management and integration aspects
- G06F2009/45591—Monitoring or debugging support
Landscapes
- Engineering & Computer Science (AREA)
- Theoretical Computer Science (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- General Engineering & Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Computing Systems (AREA)
- Computer Security & Cryptography (AREA)
- Quality & Reliability (AREA)
- Mathematical Physics (AREA)
- Computer Hardware Design (AREA)
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
Abstract
The invention discloses a container operation control method, a container operation control device, electronic equipment and a readable storage medium. Wherein the method comprises the following steps: collecting container asset information of a container running on a host; determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container; monitoring events related to a designated file directory of a target container through a monitoring point, and when a file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether a process triggering the file operation event belongs to an illegal process; when determining that the process of the file operation event belongs to an illegal process, refusing to respond to the file operation event; and when the process of the file operation event is determined not to belong to the illegal process, allowing to respond to the file operation event. By implementing the invention, the prior defense of illegal processes such as luxury software and the like is realized.
Description
Technical Field
The present invention relates to the field of data security technologies, and in particular, to a method and apparatus for controlling container operation, an electronic device, and a readable storage medium.
Background
Files in the container environment are susceptible to loss and restoration to the original state of the image once the container is restarted. To avoid this, it is common to mount a specific directory of containers onto a host, for example, to mount important sensitive files such as database files, pictures, videos, documents, etc. onto a host, so that after a restart of the container, the previously modified file data is not lost and is still saved on the host's disk. Therefore, the read-write monitoring is carried out on the sensitive files mounted in the specific catalogue, and the deletion operation or the modification operation of the luxury software on the sensitive files can be blocked, so that the effect of defending the luxury software attack is achieved.
At present, in the defense method of the luxury software, the trapping file is put in a specific directory of a host machine, so that the progress of the luxury software is difficult to be monitored; misjudgment of a luxury software process is easy to occur in a defending method based on behavior analysis; the defense method based on machine learning needs to rely on a large number of training samples, and once the lux software is changed, the problem of misjudgment also exists. The defending methods in the container environment are all in-process detection or post detection, and the lux attack can continuously occur before the judgment result is obtained through no analysis, so that the risk of encrypting and falsifying the file still exists. Therefore, the existing luxury software defense method still has difficulty in guaranteeing the security of the data files in the container environment.
Disclosure of Invention
In view of the above, the embodiments of the present invention provide a method, an apparatus, an electronic device, and a readable storage medium for controlling container operation, so as to solve the problem that security of a data file in a container environment is difficult to guarantee.
According to a first aspect, an embodiment of the present invention provides a method for controlling operation of a container, including: collecting container asset information of a container running on a host; determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container, wherein the monitoring point is used for monitoring events related to the specified file directory of the target container; monitoring events related to a designated file directory of the target container through the monitoring point, and when a file operation event is monitored, invoking a prevention and control strategy corresponding to the target container to determine whether a process triggering the file operation event belongs to an illegal process; when determining that the process of the file operation event belongs to an illegal process, refusing to respond to the file operation event; and when the process of the file operation event is determined not to belong to an illegal process, allowing to respond to the file operation event.
According to the container operation control method provided by the embodiment of the invention, the monitoring point is set for the file system name space of the target container through the pre-configured prevention and control strategy matched with the target container, so that the designated file directory of the target container operated on the current host is monitored, when the file operation event aiming at the designated file directory is generated, whether the process for executing the file operation event is an illegal process is judged, and if the process for executing the file operation event is an illegal process, the file operation event is blocked. According to the method, whether the file operation event trying to operate the appointed file directory is an illegal process such as the luxury software or not is detected, so that the prior defense can be realized, the attack of the illegal process on the appointed file directory is directly blocked, the data file under the appointed file directory of the target container is prevented from being tampered by malicious encryption, and the safety of the data file in the container environment is effectively ensured.
With reference to the first aspect, in a first implementation manner of the first aspect, the collecting container asset information of a container running on a host includes: establishing a link with a container platform in an inter-process communication mode, wherein the container platform comprises at least one container; and synchronizing the container asset information of the container running on the host in full through the interface service of the container, wherein the container asset information at least comprises a container main process number and a container name.
According to the container operation control method provided by the embodiment of the invention, through carrying out full-scale synchronization on the container asset information of the container operated on the current host, the target container to be protected is conveniently determined from the container asset information, and the omission of the target container needing to be protected is avoided.
With reference to the first implementation manner of the first aspect, in a second implementation manner of the first aspect, the method further includes: and dynamically monitoring a starting event or a logging-off event of the container on the container platform through a hooking mechanism of the container, and dynamically updating corresponding container asset information based on the starting event or the logging-off event of the container.
According to the container operation control method provided by the embodiment of the invention, the starting event and/or the cancellation event of the container on the current host are dynamically monitored through the hooking mechanism of the container, so that the dynamic update of the container asset information is realized, the full synchronization of the containers operated by the host is ensured, and the comprehensiveness of container protection is further ensured.
With reference to the first implementation manner of the first aspect, in a third implementation manner of the first aspect, the determining, by the policy controller, a target container to be monitored and a prevention and control policy corresponding to the target container according to the container asset information, and setting, for a specified file directory of the target container, a monitoring point in a namespace of the target container includes: invoking the policy controller to traverse the container asset information; inquiring a control strategy set according to the container name of each container, and matching whether the container has a corresponding control strategy or not; when a corresponding prevention and control strategy exists, acquiring a main process number of the target container to be monitored, and acquiring a file system name space descriptor of the target container according to the main process number of the target container; and switching from a host file name space to the file system name space of the target container according to the file system name space descriptor of the target container, and calling a buried point function to perform buried point setting of the monitoring point on the designated file directory of the target container.
According to the container operation control method provided by the embodiment of the invention, the corresponding prevention and control strategy is matched from the prevention and control strategy set through the container name of the target container, so that the target container needing to be protected can be accurately identified, the protection range of the container asset is further reduced, and the performance consumption is reduced. The file system name space descriptor of the target container is determined through the main process number of the target container, then the file system name space descriptor is switched to the file system name space to be protected, and then corresponding monitoring points are set under the appointed file directory of the target container, so that the protection of the appointed file directory in the target container is realized, the protected data file can be protected in advance, the protected data file is prevented from being maliciously tampered, and the normal operation of the system where the container is located is protected to the maximum extent.
With reference to the first embodiment of the first aspect, in a fourth implementation manner of the first aspect, the monitoring, by the monitoring point, an event related to a designated file directory of the target container, and when a file operation event is monitored, invoking a prevention and control policy corresponding to the target container to determine whether a process triggering the file operation event belongs to an illegal process, includes: reporting the monitored file operation event to a blocking interceptor, and analyzing the file operation event through the blocking interceptor to obtain a file process number corresponding to the file operation event; and comparing the file process number with the main process number of the target container, and determining whether the process triggering the file operation event is an illegal process or not.
With reference to the fourth implementation manner of the first aspect, in a fifth implementation manner of the first aspect, the comparing the file process number with the master process number of the target container, and determining whether a process triggering the file operation event is an illegal process includes: when the file process number is inconsistent with the main process number of the target container, judging that the process triggering the file operation event belongs to an illegal process; and when the file process number is consistent with the main process number of the target container, judging that the process triggering the file operation event does not belong to an illegal process.
According to the container operation control method provided by the embodiment of the invention, whether the file process number is consistent with the main process number of the target container is compared, so that the validity of the process started in the target container is effectively judged, the file operation event of the legal process is directly released, the file operation time of the illegal process is directly blocked, and the misjudgment risk of the file operation event is effectively reduced.
With reference to the first aspect, in a sixth implementation manner of the first aspect, the method further includes: when the container asset information is changed, determining a container to be monitored currently running on a host based on the changed container asset information; and dynamically issuing a protection strategy to the container to be monitored through the strategy controller.
According to the container operation control method provided by the embodiment of the invention, the protection strategy is dynamically issued to the container to be monitored, so that the dynamic configuration of the protection strategy is realized, the configuration of the protection strategy is not required to be restarted, the security of the data file can be realized in the operation process of the container to be protected, and the accurate protection of the container is realized.
According to a second aspect, an embodiment of the present invention provides a container operation control device, including: the collection module is used for collecting container asset information of a container running on the host; the monitoring module is used for determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through the strategy controller, setting a monitoring embedded point in a file system naming space of the target container aiming at a specified file directory of the target container, and monitoring an event related to the specified file directory of the target container by the monitoring embedded point; the judging module is used for monitoring events related to the designated file catalogue of the target container through the monitoring point, and when the file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether the process triggering the file operation event belongs to an illegal process or not; the first response module is used for refusing to respond to the file operation event when determining that the process of the file operation event belongs to an illegal process; and the second response module is used for allowing to respond to the file operation event when the process of the file operation event is determined not to belong to an illegal process.
According to a third aspect, an embodiment of the present invention provides an electronic device, including: the container operation control method according to the first aspect or any implementation manner of the first aspect is implemented by the processor through executing the computer instructions.
According to a fourth aspect, an embodiment of the present invention provides a computer-readable storage medium storing computer instructions for causing a computer to execute the container operation control method according to the first aspect or any implementation manner of the first aspect.
It should be noted that, the description of the corresponding contents in the container operation control method is omitted herein for brevity, and the corresponding beneficial effects of the container operation control device, the electronic device and the computer readable storage medium provided in the embodiments of the present invention are described herein.
Drawings
In order to more clearly illustrate the embodiments of the present invention or the technical solutions in the prior art, the drawings that are needed in the description of the embodiments or the prior art will be briefly described, and it is obvious that the drawings in the description below are some embodiments of the present invention, and other drawings can be obtained according to the drawings without inventive effort for a person skilled in the art.
Figure 1 is a diagram of a defensive apparatus in accordance with an embodiment of the present invention;
FIG. 2 is a flow chart of an implementation of a container operation control method according to an embodiment of the present invention;
FIG. 3 is a flow chart of a method of controlling operation of a container according to an embodiment of the invention;
FIG. 4 is another flow chart of a container operation control method according to an embodiment of the present invention;
FIG. 5 is yet another flow chart of a container operation control method according to an embodiment of the present invention;
FIG. 6 is a flow chart of the collection of container asset information according to an embodiment of the invention;
FIG. 7 is a flow chart of a control strategy based set monitoring point according to an embodiment of the present invention;
FIG. 8 is a flow chart of a clear/block file operation event according to an embodiment of the present invention;
FIG. 9 is a block diagram of a container operation control device according to an embodiment of the present invention;
fig. 10 is a schematic diagram of a hardware structure of an electronic device according to an embodiment of the present invention.
Detailed Description
For the purpose of making the objects, technical solutions and advantages of the embodiments of the present invention more apparent, the technical solutions of the embodiments of the present invention will be clearly and completely described below with reference to the accompanying drawings in the embodiments of the present invention, and it is apparent that the described embodiments are some embodiments of the present invention, but not all embodiments of the present invention. All other embodiments, which can be made by those skilled in the art based on the embodiments of the invention without making any inventive effort, are intended to be within the scope of the invention.
At present, the defense method of the lux software in the container environment mainly comprises the following steps: 1) Putting a trapping file under a specific directory of a host machine; 2) Detecting behavior characteristics of a file operation event based on a behavior analysis method; 3) The construction of the classifier model is based on machine learning. However, since the trap files have certain characteristics compared with normal sensitive files, the Lesu software can bypass the trap files and do not carry out encryption attack, so that the monitored discovery is avoided; the method based on behavior analysis is essentially characterized by abnormality detection, if the threshold value is set unreasonably, misjudgment is easy to occur; the machine learning-based method relies on the number of training samples, completeness, scene coverage and adaptability of a learning model, and once the luxury software is changed, the problem of easy misjudgment exists.
Based on the method, the technical scheme monitors the read-write operation of the sensitive catalogue or the file in the specific container, and once illegal processes such as the luxury software are detected to delete or modify the sensitive catalogue or the file, the operations are directly blocked, the purpose of defending the illegal processes such as the luxury software from being attacked is achieved through a pre-defense means, and the protected data file is ensured not to be tampered or encrypted maliciously.
The embodiment of the invention provides a defender architecture diagram of a container environment, and as shown in fig. 1, the defender comprises a container asset collector, a strategy controller and a blocking interceptor. The asset collector is mainly responsible for collecting dock container asset information running on a current host, wherein the container asset information is a safety protection object; the policy controller is mainly responsible for configuration of a prevention and control policy, namely, a corresponding prevention and control policy is set for a target container to be protected, and a monitoring point is set for a specified file directory in the container by a mechanism of Fanotify of a change of a file system (Fanotify is a mechanism for file monitoring); the blocking interceptor is mainly responsible for monitoring file operation events aiming at a specified file directory, judging whether a process for executing the file operation events is legal or not based on a prevention and control strategy, and directly blocking the current file operation events once the process is judged to be illegal, so that the purpose of defending is achieved, and the implementation flow is shown in the figure 2.
By utilizing the characteristic of single behavior of the container, the legitimacy of a newly started process in the container can be accurately and effectively judged, the method is different from a traditional defense method of the luxury attack in the host environment, a release strategy is adopted for file operation events of a legal process based on a mechanism of a Linux kernel Fantify, a blocking strategy is adopted for the file operation events of an illegal process, and the risk of misjudgment is effectively reduced. Once the Leuch virus attack occurs, the attack behavior can be directly blocked, so that the prior defense is realized, and the protected data file is ensured not to be subjected to malicious encryption and malicious tampering of Leuch software.
In accordance with an embodiment of the present invention, there is provided an embodiment of a container operation control method, it being noted that the steps shown in the flowchart of the drawings may be performed in a computer system such as a set of computer executable instructions, and, although a logical order is shown in the flowchart, in some cases, the steps shown or described may be performed in an order other than that shown or described herein.
In this embodiment, a container operation control method is provided, which may be used for an electronic device, such as a host, with the defensive apparatus architecture, and fig. 3 is a flowchart of the container operation control method according to an embodiment of the present invention, and as shown in fig. 3, the flowchart includes the following steps:
S11, collecting container asset information of a container running on a host.
The container is an isolated operating system space formed at the host kernel operating system layer for running specific services. The container asset information is metadata information corresponding to all containers running on the current host, and is related information for characterizing specific services running on each container. The container asset information includes information such as a file mounting path, a container name, a main process number of the container, and the like.
In particular, the host may deploy an application running within the container, such as a docker, through container engine technology. One or more containers in an operation state are usually arranged on the host, and the host can perform data communication with the containers through an interface provided by the container engine so as to acquire each container in the operation state at present and acquire container asset information of all the containers, so that the operation state of specific services in the container environment can be monitored in real time later.
S12, determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container.
The monitoring point is used for monitoring events related to the designated file catalogue of the target container.
As described above, the policy controller is primarily responsible for the configuration of the control policies for the containers running on the host. And determining whether a target container to be monitored exists in the containers operated on the host computer or not according to the acquired container asset information. The target container is a specific container containing a specified file directory and requiring protection, and the target container may be 1 or more, and is not particularly limited herein.
The prevention and control strategy is a preset security protection strategy according to whether the target container has a specified file directory to be protected. The specified file directory is a mounting path for sensitive files (e.g., database files, pictures, videos, documents, etc.) in the container environment.
When the policy controller detects that the container is provided with the prevention and control policy, the container is indicated to be the target container to be monitored, and in order to avoid modification, deletion or encryption of malicious programs such as luxury software and the like, the host can set a monitoring point in a file system naming space of the target container for a specified file directory in the container environment according to the prevention and control policy pre-configured in the target container, so that real-time monitoring is conducted on related events generated for the specified file directory.
S13, monitoring events related to the designated file catalogue of the target container through the monitoring point, and when the file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether the process triggering the file operation event belongs to an illegal process.
Monitoring events related to the designated file catalogue of the target container through the monitoring point to judge whether a file operation event aiming at the target file catalogue is generated or not. When a file operation event aiming at a target file directory is generated, a process is indicated to perform read-write operation on the specified file directory of the target container, and the process can be an illegal process such as luxury software or the like, and can also be the normal read-write operation of a main process of the target container. In order to avoid the situation that the normal read-write process of the container is affected due to misjudgment, the process of triggering the file operation event is detected by calling the control strategy corresponding to the target container so as to determine whether the process is an illegal process.
S14, refusing to respond to the file operation event when determining that the process of the file operation event belongs to an illegal process.
When determining that the process triggering the file operation event belongs to an illegal process, the process of the file operation event is not the normal operation of the target container on the designated file directory, and then the response to the file operation event can be directly refused without analyzing the designated file directory after the operation is performed on the designated file directory, so that the pre-defense on the designated file directory is realized, and the possibility of the designated file directory in the target container being attacked is greatly reduced.
And S15, when the process of the file operation event is determined not to belong to the illegal process, allowing to respond to the file operation event.
When the process triggering the file operation event is determined not to belong to an illegal process, the process for executing the file operation event is represented as a legal process, and then the response to the file operation event generated aiming at the specified file directory is allowed, and the legal process is smoothly released, so that the normal operation of the container is ensured.
According to the container operation control method, the monitoring point is set for the file system name space of the target container through the pre-configured prevention and control strategy matched with the target container, so that the designated file directory of the target container operated on the current host is monitored, when a file operation event attempting to operate the designated file directory is detected, the file operation event is detected to determine whether the file operation event is an illegal process such as a luxury software or not, therefore, the prior defense can be realized, the attack of the illegal process on the designated file directory can be directly blocked, the data file under the designated file directory of the target container is ensured not to be tampered by malicious encryption, and the safety of the data file in the container environment is effectively ensured.
In this embodiment, a method for controlling operation of a container is provided, which may be used for an electronic device having the above system architecture, such as a host, and in this embodiment, the host is taken as an example, and fig. 4 is a flowchart of a method for controlling operation of a container according to an embodiment of the present invention, as shown in fig. 4, where the flowchart includes the following steps:
s21, collecting container asset information of a container running on the host.
Specifically, the step S21 may include:
s211, establishing a link with a container platform in an inter-process communication mode, wherein the container platform comprises at least one container.
In the running process, the electronic equipment can establish data communication with the container platform in an inter-process communication mode, and then monitor at least one container contained in the container platform in real time through the data communication, and acquire the running state of the container in real time.
S212, through the interface service of the container, the container asset information of the container running on the full-scale synchronous host machine at least comprises a container main process number and a container name.
The container platform provides an interface service through which the container asset information of all containers running on the current host node can be synchronized in full and stored in the form of a container list. Wherein the container asset information may include: container name, container host process, file mount path, mirror name, etc.
Specifically, taking the system architecture shown in fig. 1 as an example, the asset collector establishes a communication connection with the dock container platform through a Unix Socket communication file dock, as shown in fig. 6. Performing full synchronization on all containers on the current host node through a dock interface communication service (dock API) to obtain container asset information of all containers on the current host node, wherein the method comprises the following steps: container name Cname, container host process number Pid, specified file directory (i.e., file mount path), mirror name ImageName of the container, etc.
Optionally, the step S21 may include:
s213, dynamically monitoring a starting event or a logging-off event of the container on the container platform through a hooking mechanism of the container, and dynamically updating corresponding container asset information based on the starting event or the logging-off event of the container.
The starting event of the container is an operation event for container creation on the current host, and the cancellation event of the container is an operation event for container destruction on the current host. The method can dynamically monitor the starting event or the logging-off event of the container generated on the container platform based on the hooking mechanism of the container, and dynamically update the container asset information according to the starting event or the logging-off event of the container. Wherein, the updating content comprises: adding information about the newly created container to the container asset information, or removing information about the logged-out container from the container asset information.
Optionally, after the container asset information is dynamically updated, the updated container asset information is cached in the storage space, and the container asset information which is in the storage space previously is replaced, so that all containers in a running state on the current host can be updated, and the container asset information which is currently running on the host can be conveniently checked.
Specifically, as shown in fig. 6, through a hook mechanism of the container, a starting event and a cancellation event of the container in the running process are dynamically monitored, and once the dynamic starting or cancellation of the container occurs, the container asset information of the container can be dynamically updated. And caching the container asset information obtained in the process to obtain the container asset information of all the containers in the running state on the current host.
S22, determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container.
The monitoring point is used for monitoring events related to the designated file catalogue of the target container.
Specifically, the step S22 may include:
S221, calling a policy controller to traverse the container asset information.
For the target container, there is a corresponding prevention and control strategy, that is, the container provided with the prevention and control strategy is the target container needing to be monitored. The electronic device may invoke the policy controller to traverse the container asset information for all containers running on the host.
S222, inquiring a prevention and control strategy set according to the container name of each container, and matching whether the container has a corresponding prevention and control strategy or not.
The container names of the containers are different, the container name of each container is obtained by traversing the container asset information, and the strategy controller inquires the prevention and control strategy set according to the container name of each container so as to detect whether the prevention and control strategy set has the prevention and control strategy matched with the container name.
S223, when a corresponding prevention and control strategy exists, acquiring a main process number of the target container to be monitored, and acquiring a file system name space descriptor of the target container according to the main process number of the target container.
When the corresponding prevention and control strategies are searched in the prevention and control strategy set, the container provided with the prevention and control strategies is the target container to be monitored, and at the moment, the main process number corresponding to the target container can be extracted from the container asset information. The host process number of the target container has a one-to-one correspondence with the file system namespace descriptor of the target container, and then the file system namespace descriptor corresponding to the host process number of the target container can be determined according to the host process number of the target container.
S224, switching from the host file name space to the file system name space of the target container according to the file system name space descriptor of the target container, and calling a buried point function to perform buried point setting of the monitoring point on the designated file directory of the target container.
The file system namespace descriptor can represent the file system namespace of the target container, and the host file namespace can be switched to the file system namespace corresponding to the file system namespace descriptor through the file system namespace descriptor of the target container.
The embedded point function is used for carrying out embedded point setting of the monitoring point in the appointed file directory, and the monitoring point is set under the appointed file directory of the target container by calling the embedded point function so as to monitor whether the appointed file directory is subjected to abnormal operation or not. Therefore, the protection of the appointed file catalogue in the target container is realized, the protected data file can be protected in advance, and the protected data file is prevented from being tampered maliciously.
Specifically, taking the system architecture shown in fig. 1 as an example, a monitoring point is set on a specified file directory in a target container through a prevention and control policy issued to the target container by a policy controller, so as to monitor a file operation event generated in the target container aiming at the specified file directory. As shown in fig. 7, the specific implementation procedure is as follows:
1) Traversing the container asset information, inquiring a prevention and control strategy set according to the container name, and judging whether the prevention and control strategy set has the prevention and control strategy matched with the container name. If the prevention and control strategy matched with the container name does not exist, the container is directly skipped and is not processed; otherwise, performing step 2);
2) The host process number Pid of the target container is obtained, and according to the host process number Pid, the file system namespace descriptor cfd of the target container can be obtained, and the file system namespace corresponding to the file system namespace descriptor cfd is determined, and the specific obtaining mode of the file system namespace descriptor cfd is as follows:
cfd=open(/proc/<pid>/ns/mnt,O_RDONLY)
3) And calling a namespace switching function setns (), and switching the host file namespaces to file system namespaces of the target containers, wherein the specific implementation mode is as follows:
setns(cfd,0)
4) Calling an initialization function of the Linux kernel Fanotify, and monitoring and initializing a target container, wherein the specific implementation mode is as follows;
FD=fanotify_init(FAN_CLOEXEC|FAN_CLASS_CONTENT,O_RDONLY|O_CLOEXEC|O_LARGEFILE|O_NOATIME)
5) Invoking the buried point function of Fanotify, specifying a file directory for the target container (such as: data) to set the buried point of the monitoring point, the specific implementation mode is as follows:
fanotify_mark(fd,FAN_MARK_ADD|FAN_MARK_MOUNT,FAN_CLOSE_NO WRITE|FAN_CLOSE_WRITE,AT_FDCWD,"/data")
6) And calling a namespace switching function setns (), switching back to the host file namespace, and specifically realizing the following steps:
setns(hostfd,0)
Thus, the embedded point setting of the specified file directory of the target container is completed.
7) And (3) circulating the steps to finish the setting of the monitoring points of the appointed file catalogues of all the target containers provided with the prevention and control strategies.
As an alternative embodiment, the method may further include:
when the container asset information is changed, determining the container to be monitored currently running on the host based on the changed container asset information, and dynamically issuing a protection strategy for the container to be monitored currently running on the host through the strategy controller.
Because the container running on the host is not invariable, the process of starting or dying the container exists, whether the container asset information is changed or not is determined by monitoring the collected container asset information, when the container asset information is changed, the container running on the host is determined according to the changed container asset information, whether the container to be monitored needs to issue a protection strategy or whether the container to be monitored needs to issue the protection strategy due to the change of the task execution is determined according to the changed container asset information, and therefore the configuration of a dynamic protection strategy set of each container to be monitored is realized, the configuration of the protection strategy does not need to be restarted, the safety of data files can be realized for the container to be protected is ensured, and the accurate protection of the container is further realized.
S23, monitoring events related to the designated file catalogue of the target container through the monitoring point, and when the file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether the process triggering the file operation event belongs to an illegal process. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
S24, refusing to respond to the file operation event when determining that the process of the file operation event belongs to an illegal process. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
S25, when determining that the process of the file operation event does not belong to the illegal process, allowing to respond to the file operation event. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
According to the container operation control method provided by the embodiment, through carrying out full-scale synchronization on the container asset information of the container operated on the current host, the target container to be protected is conveniently determined from the container asset information, and the omission of the target container needing to be protected is avoided. The starting event and/or the logging-off event of the container on the current host are dynamically monitored through the hooking mechanism of the container, so that the dynamic update of the asset information of the container is realized, the full synchronization of the containers operated by the host is ensured, and the comprehensiveness of container protection is further ensured. The corresponding prevention and control strategy is matched from the prevention and control strategy set through the container name of the target container, so that the target container needing to be protected can be accurately identified, the protection range of the container asset is further reduced, and the performance consumption is reduced. The file system name space descriptor of the target container is determined through the main process number of the target container, then the file system name space descriptor is switched to the file system name space to be protected, and then corresponding monitoring points are set under the appointed file directory of the target container, so that the protection of the appointed file directory in the target container is realized, the protected data file can be protected in advance, the protected data file is prevented from being maliciously tampered, and the normal operation of the system where the container is located is protected to the maximum extent.
In this embodiment, a method for controlling operation of a container is provided, which may be used for an electronic device having the above system architecture, such as a host, and in this embodiment, the host is taken as an example, and fig. 5 is a flowchart of a method for controlling operation of a container according to an embodiment of the present invention, as shown in fig. 5, where the flowchart includes the following steps:
s31, collecting container asset information of a container running on the host. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
S32, determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container.
The monitoring point is used for monitoring events related to the designated file catalogue of the target container.
The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
S33, monitoring events related to the designated file catalogue of the target container through the monitoring point, and when the file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether the process triggering the file operation event belongs to an illegal process.
Specifically, the container asset information includes a container main process number, and the step S33 may include:
s331, reporting the monitored file operation event to a blocking interceptor, and analyzing the file operation event through the blocking interceptor to obtain a file process number corresponding to the file operation event.
As described above, the blocking interceptor can make legal judgment on the process of executing the file operation event based on the prevention and control policy, and once the blocking interceptor judges that the blocking interceptor belongs to an illegal process, the blocking interceptor directly blocks the operation of the current process on the designated file directory, thereby achieving the purpose of defending.
The method comprises the steps of monitoring an operation process of a designated file directory provided with a monitoring point in real time, reporting a file operation event to a blocking interceptor after the file operation event of the designated file directory is monitored, analyzing the file operation event by the blocking interceptor, and analyzing a file process number PID, a file path, a file name, a current file operation type and the like of the triggering file operation event.
S332, comparing the file process number with the main process number of the target container, and determining whether the process triggering the file operation event is an illegal process.
Because the appointed file directory is in the target container, if the main process of the target container operates on the appointed file directory, the file process number of the process triggering the file operation event is consistent with the main process number of the target container.
And comparing the analyzed file process number with the main process number of the target container, and judging whether the file process number and the main process number are consistent, namely determining whether the process triggering the file operation event is an illegal process.
Specifically, when the file process number is inconsistent with the master process number of the target container, the process of triggering the file operation event is not the master process of the target container, and at this time, it can be directly determined that the process of triggering the file operation event belongs to an illegal process.
Specifically, when the file process number is consistent with the main process number of the target container, the process of triggering the file operation event is indicated to be the main process of the target container, and at this time, it may be determined that the file operation event generated in the current container environment and aiming at the specified file directory belongs to a normal service scenario, that is, it is determined that the process of triggering the file operation event does not belong to an illegal process.
Optionally, the file operation event includes a file read operation and/or a file write operation. The file reading operation is an operation of reading the file corresponding to the specified file directory; the file writing operation is to modify, delete, etc. the file corresponding to the specified file directory.
Specifically, taking the system architecture shown in fig. 1 as an example, the blocking interceptor is mainly responsible for monitoring a file operation event generated by a specified file directory in the target container and reported by Fanotify, and judging whether the process triggering the file operation event belongs to illegal legislation or not according to a set prevention and control strategy. If the file operation event belongs to an illegal process, notifying the Fanotify to intercept the file operation event, otherwise, releasing the file operation event.
As shown in fig. 8, the specific implementation procedure is as follows:
1) Analyzing the file operation event aiming at the specified file directory and reported by the Fantify, and acquiring corresponding information of the file operation event, wherein the information can comprise: file process number Pid, file path, file name, and file operation type, among others, where the file operation type includes file read operations and file write operations.
2) And judging whether the process number Pid corresponding to the process triggering the file operation event is consistent with the main process number Pid corresponding to the main process of the target container. If the two are consistent, the main process of the target container is operated on the appointed file catalog, and belongs to a normal business scene, and at the moment, the Response of Fantify is set as FAN_ALLOW, namely the process is directly released. If the file directory and the file directory are not the same, an illegal process (such as a lux software process) is indicated to perform read-write operation on the specified file directory of the target container, and at the moment, setting a Response of Fantify to FAN_DENY, namely blocking and intercepting the file operation event.
S34, when determining that the process of the file operation event belongs to an illegal process, refusing to respond to the file operation event. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
And S35, when the process of the file operation event is determined not to belong to the illegal process, allowing to respond to the file operation event. The detailed description refers to the corresponding related descriptions of the above embodiments, and will not be repeated here.
According to the container operation control method provided by the embodiment, whether the file process number is consistent with the main process number of the target container is compared, so that the validity of the process started in the target container is effectively judged, the file operation event of the legal process is directly released, the file operation time of the illegal process is directly blocked, and the misjudgment risk of the file operation event is effectively reduced.
In this embodiment, a container operation control device is further provided, and the device is used to implement the foregoing embodiments and preferred embodiments, and is not described in detail. The term "module" as used below may be a combination of software and/or hardware that implements a predetermined function. While the means described in the following embodiments are preferably implemented in software, implementation in hardware, or a combination of software and hardware, is also possible and contemplated.
The present embodiment provides a container operation control device, as shown in fig. 9, including:
and an acquisition module 51 for acquiring container asset information of a container running on the host. The detailed description refers to the corresponding related description of the above method embodiments, and will not be repeated here.
The monitoring module 52 is configured to determine, by using the policy controller, a target container to be monitored and a prevention and control policy corresponding to the target container according to the container asset information, and set a monitoring point in a file system namespace of the target container for a specified file directory of the target container. The monitoring point is used for monitoring events related to the designated file catalogue of the target container. The detailed description refers to the corresponding related description of the above method embodiments, and will not be repeated here.
The judging module 53 is configured to monitor, by using a monitoring point, an event related to a specified file directory of the target container, and when a file operation event is monitored, invoke a control policy corresponding to the target container to determine whether a process triggering the file operation event belongs to an illegal process. The detailed description refers to the corresponding related description of the above method embodiments, and will not be repeated here.
The first response module 54 is configured to reject responding to the file operation event when it is determined that the process of the file operation event belongs to an illegal process. The detailed description refers to the corresponding related description of the above method embodiments, and will not be repeated here.
And the second response module 55 is configured to allow response to the file operation event when it is determined that the process of the file operation event does not belong to an illegal process. The detailed description refers to the corresponding related description of the above method embodiments, and will not be repeated here.
The container operation control means in this embodiment are presented in the form of functional units, here referred to as ASIC circuits, processors and memories executing one or more software or firmware programs, and/or other devices that can provide the above-described functionality.
According to the container operation control device provided by the embodiment, the monitoring point is set for the file system name space of the target container through the pre-configured prevention and control strategy matched with the target container, so that the designated file directory of the target container operated on the current host is monitored, when the file operation event attempting to operate the designated file directory is detected, the file operation event is detected to determine whether the file operation event is an illegal process such as the luxury software or not, so that the prior defense can be realized, the attack of the illegal process on the designated file directory can be directly blocked, the data file under the designated file directory of the target container is ensured not to be tampered by malicious encryption, and the safety of the data file in the container environment is effectively ensured.
Alternatively, the acquisition module 51 may include:
and the link sub-module is used for establishing a link with a container platform in an inter-process communication mode, and the container platform comprises at least one container.
And the synchronization sub-module is used for synchronizing the container asset information of the container running on the host computer in full quantity through the interface service of the container, wherein the container asset information at least comprises a container main process number and a container name.
Alternatively, the acquisition module 51 may include:
and the monitoring sub-module is used for dynamically monitoring the starting event or the cancellation event of the container on the container platform through the hooking mechanism of the container and dynamically updating the corresponding container asset information based on the starting event or the cancellation event of the container.
Alternatively, the monitoring module 52 may include:
and the calling sub-module is used for calling the policy controller to traverse the container asset information.
And the inquiring sub-module is used for inquiring the prevention and control strategy set according to the container name of each container and matching whether the corresponding prevention and control strategy exists in the container.
And the acquisition sub-module is used for acquiring the main process number of the target container to be monitored when the corresponding prevention and control strategy exists, and acquiring the file system name space descriptor of the target container according to the main process number of the target container.
And the switching sub-module is used for switching from the host file name space to the file system name space of the target container according to the file system name space descriptor of the target container, and calling the buried point function to perform the buried point setting of the monitoring point on the designated file directory of the target container.
Alternatively, the judging module 53 may include:
and the analysis sub-module is used for reporting the monitored file operation event to the blocking interceptor, and analyzing the file operation event through the blocking interceptor to obtain a file process number corresponding to the file operation event.
And the comparison sub-module is used for comparing the file process number with the main process number of the target container and determining whether the process triggering the file operation event is an illegal process or not.
Optionally, the comparing sub-module may include:
the first judging sub-module is used for judging that the process triggering the file operation event belongs to an illegal process when the file process number is inconsistent with the main process number of the target container.
And the second judging submodule is used for judging that the process triggering the file operation event does not belong to an illegal process when the file process number is consistent with the main process number of the target container.
Optionally, the file operation event includes a file read operation and/or a file write operation.
Further functional descriptions of the above modules are the same as those of the above corresponding embodiments, and are not repeated here.
The embodiment of the invention also provides electronic equipment, which is provided with the container operation control device shown in fig. 9.
Referring to fig. 10, fig. 10 is a schematic structural diagram of an apparatus according to an alternative embodiment of the present invention, as shown in fig. 10, the apparatus may include: at least one processor 601, such as a central processing unit (Central Processing Unit, CPU), at least one communication interface 603, a memory 604, at least one communication bus 602. Wherein the communication bus 602 is used to enable connected communications between these components. The communication interface 603 may include a Display screen (Display), a Keyboard (Keyboard), and the selectable communication interface 603 may further include a standard wired interface, and a wireless interface. The memory 604 may be a high-speed volatile random access memory (Random Access Memory, RAM) or a non-volatile memory (non-volatile memory), such as at least one disk memory. The memory 604 may also optionally be at least one storage device located remotely from the processor 601. Where the processor 601 may be a device as described in connection with fig. 10, the memory 604 stores an application program, and the processor 601 invokes the program code stored in the memory 604 for performing any of the method steps described above.
The communication bus 602 may be, among other things, a peripheral component interconnect standard (peripheral component interconnect, PCI) bus or an extended industry standard architecture (extended industry standard architecture, EISA) bus, etc. The communication bus 602 may be divided into an address bus, a data bus, a control bus, and the like. For ease of illustration, only one thick line is shown in fig. 10, but not only one bus or one type of bus.
Wherein the memory 604 may comprise volatile memory (english), such as random-access memory (RAM); the memory may also include a nonvolatile memory (non-volatile memory), such as a flash memory (flash memory), a hard disk (HDD) or a Solid State Drive (SSD); memory 604 may also include a combination of the types of memory described above.
The processor 601 may be a central processing unit (central processing unit, CPU), a network processor (network processor, NP) or a combination of CPU and NP, among others.
The processor 601 may further comprise a hardware chip, among other things. The hardware chip may be an application-specific integrated circuit (ASIC), a programmable logic device (programmable logic device, PLD), or a combination thereof. The PLD may be a complex programmable logic device (complex programmable logic device, CPLD), a field-programmable gate array (field-programmable gate array, FPGA), general-purpose array logic (generic array logic, GAL), or any combination thereof.
Optionally, the memory 604 is also used for storing program instructions. The processor 601 may invoke program instructions to implement the container run control method as shown in the embodiments of fig. 3-5 of the present application.
The embodiment of the invention also provides a non-transitory computer storage medium, which stores computer executable instructions that can execute the processing method of the container operation control method in any of the above method embodiments. Wherein the storage medium may be a magnetic Disk, an optical Disk, a Read-Only Memory (ROM), a random access Memory (Random Access Memory, RAM), a Flash Memory (Flash Memory), a Hard Disk (HDD), or a Solid State Drive (SSD); the storage medium may also comprise a combination of memories of the kind described above.
Although embodiments of the present invention have been described in connection with the accompanying drawings, various modifications and variations may be made by those skilled in the art without departing from the spirit and scope of the invention, and such modifications and variations fall within the scope of the invention as defined by the appended claims.
Claims (10)
1. A method of controlling operation of a container, comprising:
Collecting container asset information of a container running on a host;
determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through a strategy controller, and setting a monitoring point in a file system naming space of the target container aiming at a specified file directory of the target container, wherein the monitoring point is used for monitoring events related to the specified file directory of the target container;
monitoring events related to a designated file directory of the target container through the monitoring point, and when a file operation event is monitored, invoking a prevention and control strategy corresponding to the target container to determine whether a process triggering the file operation event belongs to an illegal process;
when determining that the process of the file operation event belongs to an illegal process, refusing to respond to the file operation event;
and when the process of the file operation event is determined not to belong to an illegal process, allowing to respond to the file operation event.
2. The method of claim 1, wherein the collecting container asset information for a container running on a host comprises:
establishing a link with a container platform in an inter-process communication mode, wherein the container platform comprises at least one container;
And synchronizing the container asset information of the container running on the host in full through the interface service of the container, wherein the container asset information at least comprises a container main process number and a container name.
3. The method according to claim 2, wherein the method further comprises:
and dynamically monitoring a starting event or a logging-off event of the container on the container platform through a hooking mechanism of the container, and dynamically updating corresponding container asset information based on the starting event or the logging-off event of the container.
4. The method of claim 2, wherein the determining, by the policy controller, a target container to be monitored and a prevention and control policy corresponding to the target container according to the container asset information, and setting a monitoring point in a namespace of the target container for a specified file directory of the target container, comprises:
invoking the policy controller to traverse the container asset information;
inquiring a control strategy set according to the container name of each container, and matching whether the container has a corresponding control strategy or not;
when a corresponding prevention and control strategy exists, acquiring a main process number of the target container to be monitored, and acquiring a file system name space descriptor of the target container according to the main process number of the target container;
And switching from a host file name space to the file system name space of the target container according to the file system name space descriptor of the target container, and calling a buried point function to perform buried point setting of the monitoring point on the designated file directory of the target container.
5. The method according to claim 2, wherein the monitoring, by the monitoring point, of events related to a specified file directory of the target container, and when a file operation event is monitored, invoking a prevention and control policy corresponding to the target container to determine whether a process triggering the file operation event belongs to an illegal process, includes:
reporting the monitored file operation event to a blocking interceptor, and analyzing the file operation event through the blocking interceptor to obtain a file process number corresponding to the file operation event;
and comparing the file process number with the main process number of the target container, and determining whether the process triggering the file operation event is an illegal process or not.
6. The method of claim 5, wherein comparing the file process number with the master process number of the target container to determine whether the process triggering the file operation event is an illegal process comprises:
When the file process number is inconsistent with the main process number of the target container, judging that the process triggering the file operation event belongs to an illegal process;
and when the file process number is consistent with the main process number of the target container, judging that the process triggering the file operation event does not belong to an illegal process.
7. The method as recited in claim 1, further comprising:
when the container asset information is changed, determining a container to be monitored currently running on a host based on the changed container asset information;
and dynamically issuing a protection strategy to the container to be monitored through the strategy controller.
8. A container operation control device, comprising:
the collection module is used for collecting container asset information of a container running on the host;
the monitoring module is used for determining a target container to be monitored and a prevention and control strategy corresponding to the target container according to the container asset information through the strategy controller, setting a monitoring embedded point in a file system naming space of the target container aiming at a specified file directory of the target container, and monitoring an event related to the specified file directory of the target container by the monitoring embedded point;
The judging module is used for monitoring events related to the designated file catalogue of the target container through the monitoring point, and when the file operation event is monitored, invoking a corresponding prevention and control strategy of the target container to determine whether the process triggering the file operation event belongs to an illegal process or not;
the first response module is used for refusing to respond to the file operation event when determining that the process of the file operation event belongs to an illegal process;
and the second response module is used for allowing to respond to the file operation event when the process of the file operation event is determined not to belong to an illegal process.
9. An electronic device, comprising:
a memory and a processor, said memory and said processor being communicatively coupled to each other, said memory having stored therein computer instructions, said processor executing said computer instructions to thereby perform the container operation control method of any one of claims 1-7.
10. A computer-readable storage medium storing computer instructions for causing a computer to execute the container operation control method according to any one of claims 1 to 7.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210806756.XA CN117407118A (en) | 2022-07-08 | 2022-07-08 | Container operation control method, device, electronic equipment and readable storage medium |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN202210806756.XA CN117407118A (en) | 2022-07-08 | 2022-07-08 | Container operation control method, device, electronic equipment and readable storage medium |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN117407118A true CN117407118A (en) | 2024-01-16 |
Family
ID=89485845
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN202210806756.XA Pending CN117407118A (en) | 2022-07-08 | 2022-07-08 | Container operation control method, device, electronic equipment and readable storage medium |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN117407118A (en) |
Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902909A (en) * | 2012-10-10 | 2013-01-30 | 北京奇虎科技有限公司 | System and method for preventing file from being tampered |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| CN108959955A (en) * | 2018-06-06 | 2018-12-07 | Oppo广东移动通信有限公司 | Document handling method and device |
| CN111221699A (en) * | 2018-11-27 | 2020-06-02 | 北京神州泰岳软件股份有限公司 | Resource association relationship discovery method and device and electronic equipment |
| CN111324891A (en) * | 2018-12-13 | 2020-06-23 | 北京京东尚科信息技术有限公司 | System and method for container file integrity monitoring |
| CN113051034A (en) * | 2021-03-30 | 2021-06-29 | 四川大学 | Container access control method and system based on kprobes |
| CN113791865A (en) * | 2021-09-08 | 2021-12-14 | 山石网科通信技术股份有限公司 | Container security processing method and device, storage medium and processor |
| CN113886835A (en) * | 2021-10-14 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Method and device for preventing container from escaping, computer equipment and storage medium |
| CN114139178A (en) * | 2021-11-26 | 2022-03-04 | 杭州安恒信息技术股份有限公司 | Data link-based data security monitoring method and device and computer equipment |
-
2022
- 2022-07-08 CN CN202210806756.XA patent/CN117407118A/en active Pending
Patent Citations (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102902909A (en) * | 2012-10-10 | 2013-01-30 | 北京奇虎科技有限公司 | System and method for preventing file from being tampered |
| CN105956468A (en) * | 2016-04-22 | 2016-09-21 | 中国科学院信息工程研究所 | Method and system for detecting Android malicious application based on file access dynamic monitoring |
| CN108959955A (en) * | 2018-06-06 | 2018-12-07 | Oppo广东移动通信有限公司 | Document handling method and device |
| CN111221699A (en) * | 2018-11-27 | 2020-06-02 | 北京神州泰岳软件股份有限公司 | Resource association relationship discovery method and device and electronic equipment |
| CN111324891A (en) * | 2018-12-13 | 2020-06-23 | 北京京东尚科信息技术有限公司 | System and method for container file integrity monitoring |
| CN113051034A (en) * | 2021-03-30 | 2021-06-29 | 四川大学 | Container access control method and system based on kprobes |
| CN113791865A (en) * | 2021-09-08 | 2021-12-14 | 山石网科通信技术股份有限公司 | Container security processing method and device, storage medium and processor |
| CN113886835A (en) * | 2021-10-14 | 2022-01-04 | 苏州浪潮智能科技有限公司 | Method and device for preventing container from escaping, computer equipment and storage medium |
| CN114139178A (en) * | 2021-11-26 | 2022-03-04 | 杭州安恒信息技术股份有限公司 | Data link-based data security monitoring method and device and computer equipment |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN110647744B (en) | Method, device, medium and system for evidence collection analysis in file system | |
| CN106650436B (en) | A kind of safety detection method and device based on local area network | |
| TWI396995B (en) | Method and system for cleaning malicious software and computer program product and storage medium | |
| CN104468546A (en) | Network information processing method and firewall device and system | |
| KR101649909B1 (en) | Method and apparatus for virtual machine vulnerability analysis and recovery | |
| CN107231364B (en) | Website vulnerability detection method and device, computer device and storage medium | |
| CN110674496A (en) | Method and system for program to counter invading terminal and computer equipment | |
| CN109145536B (en) | Webpage tamper-proofing method and device | |
| CN109784051B (en) | Information security protection method, device and equipment | |
| KR101781780B1 (en) | System and Method for detecting malicious websites fast based multi-server, multi browser | |
| KR101503827B1 (en) | A detect system against malicious processes by using the full path of access files | |
| KR20120070025A (en) | Web / email for distributing malicious code through the automatic control system and how to manage them | |
| CN117407118A (en) | Container operation control method, device, electronic equipment and readable storage medium | |
| CN114978963B (en) | Network system monitoring analysis method and device, electronic equipment and storage medium | |
| CN114785621B (en) | Vulnerability detection method and device, electronic equipment and computer readable storage medium | |
| TWI640891B (en) | Method and apparatus for detecting malware | |
| CN106856477B (en) | Threat processing method and device based on local area network | |
| CN112597492B (en) | Binary executable file modification monitoring method based on Windows kernel | |
| CN113518055B (en) | Data security protection processing method and device, storage medium and terminal | |
| Grizzard et al. | Re-establishing trust in compromised systems: recovering from rootkits that trojan the system call table | |
| CN113709130A (en) | Risk identification method and device based on honeypot system | |
| US11763004B1 (en) | System and method for bootkit detection | |
| CN114417349A (en) | Attack result determination method, device, electronic equipment and storage medium | |
| CN117099101A (en) | Management server and method for file storage management | |
| CN105208035A (en) | Accessing operation blocking method and system and server device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination |