JP2017174158A - Monitoring system, monitoring method, and monitoring program - Google Patents

Abstract

PROBLEM TO BE SOLVED: To provide a monitoring system capable of detecting unauthorized operation by using a monitoring result of communication performed between containers.SOLUTION: A monitoring system 10 includes monitoring means 11 for monitoring communication performed between a plurality of instances that each have one of division spaces into which a user space in an operating system on a server is virtually divided and share a kernel space in the operating system.SELECTED DRAWING: Figure 1

Description

  The present invention relates to a monitoring system, a monitoring method, and a monitoring program, and more particularly to a monitoring system, a monitoring method, and a monitoring program for improving the confidentiality of a container.

  One virtual software unit is a container. In container-type virtualization, a user space in an OS (Operating System) of a server has a virtually divided space, and a plurality of instances that share a kernel space in the OS are executed on the server. Note that the activated container is sometimes called an instance.

  Each instance runs in an environment that is completely independent of the other environment. Therefore, since there is no possibility that an instance accesses a file in a container other than its own container, the confidentiality of a server in which container-type virtualization is introduced is higher than that of a normal server. In addition, since all instances share the same kernel space in container-type virtualization, resource utilization efficiency is higher than in other virtualization.

  The container is realized by, for example, container type virtualization using a Linux (registered trademark) container technology and a special file system such as aufs (AnotherUnionFS). Container virtualization requires less disk usage, less time to create and start instances, and less performance degradation than hypervisor virtualization, which is complete virtualization including hardware. There is an advantage.

  A container is a temporary object that does not hold data permanently. In other words, in container-type virtualization, when a container is started, information is held in the instance only during execution. In addition, the information held in the instance when the container is stopped is discarded.

  A service provider, which is a subject that provides services by deploying containers, configures one service by combining one or more containers. FIG. 16 is an explanatory diagram showing an example of containers deployed in the data center. A data center 100 shown in FIG. 16 includes a container 20, a container 30, and a container 40.

  A data center 100 shown in FIG. 16 is a platform for starting containers. The data center 100 is also called PaaS (Platform as a Service). The data center 100 may be constructed based on Cloud Foundry, which is one of base software for constructing PaaS, for example.

  Further, the data center 100 may be constructed by executing Cloud Foundry or the like in IaaS (Infrastructure as a Service). A private IP (Internet Protocol) address or a public IP address is assigned to the container.

  The data center 100 has one or more container execution servers that are communicably connected to the outside via a communication network. The data center 100 activates the container in the container execution server. Since a container execution environment that can be used is required for container deployment and execution, a container execution environment is introduced in addition to the OS on the container execution server.

  When deploying containers, the data center 100 may physically or virtually separate an area where containers are deployed from areas where other containers are deployed. In the following description, the presence of a region partition in the data center 100 is not specified, but it may be interpreted that a region partition exists in the data center 100.

  The service provider can deploy one or more containers in a section of the data center 100 given to the service provider, for example. The service provider gives the data center 100 a container image of a container to be deployed. The container image is an image file generated from the container being executed.

  The data center 100 can start a container using a given container image. The data center 100 activates the container on the container execution server. When the container is activated, various application functions based on the code of the container are provided.

  The container 20 shown in FIG. 16 provides the function of a web server. Further, the container 30 provides the function of the application server. The container 40 also provides a database function connected to the storage. For example, by combining the container 20, the container 30, and the container 40, the service provider can configure the web service.

  The container 20 that provides the web server function is communicably connected to a client terminal via a communication network or the like. The containers are also communicably connected via a communication network or the like. In the example shown in FIG. 16, a request from a client terminal is received by the container 20 via a gateway, for example.

  The container 20 that provides the function of the web server has a function of providing content to the client terminal. At least a part of the provided content is an execution result of application logic in response to a request from the client terminal. The application logic is defined based on, for example, descriptions in HTML (HyperText Markup Language) and descriptions of various script programs.

  The application logic is executed in the container 30 that provides the function of the application server. In the example shown in FIG. 16, at least a part of the application logic is logic that uses a database. When executing application logic using a database, the container 30 inquires the container 40 that provides the database function via a communication network or the like.

  As described above, when the containers communicate with each other, the response content to the client terminal is created. Note that communication performed between instances that are activated containers in this specification is referred to as communication performed between containers for convenience.

  The configuration of the data center 100 illustrated in FIG. 16 is (container that provides the function of the web server: container that provides the function of the application server: container that provides the function of the database) = (1: 1: 1). . However, the data center 100 may include a plurality of containers that provide database functions.

  The configuration of the data center 100 may be (container that provides the function of the web server: container that provides the function of the application server: container that provides the function of the database) = (n: m: k). Note that n, m, and k are each an integer of 1 or more.

FIG. 17 is an explanatory diagram showing another example of containers deployed in the data center. As illustrated in FIG. 17, the data center 100 includes containers 20 ₁ to 20 _n , containers 30 ₁ to 30 _m , and containers 40 ₁ to 40 _k .

The containers 20 ₁ to 20 _n all provide the same function. The same applies to the containers 30 ₁ to 30 _m and the containers 40 ₁ to 40 _k . However, the functions provided by the containers 20 ₁ to 20 _n , the functions provided by the containers 30 ₁ to 30 _m , and the functions provided by the containers 40 ₁ to 40 _k are different.

Communication performed between containers shown in FIG. 17 is a target of load distribution. For example, a function provided by the containers 30 ₁ to 30 _m is assumed to be a function A. Further, it is assumed that communication performed between containers is distributed by round robin. In the example shown in FIG. 17, after the container 20 ₁ makes a communication with the container 30 _1, when communicating with the container to provide a function A again, the container 20 ₁ communicates with the container 30 _2.

  In addition, the container execution server can increase the processing amount that can be processed by the container by scaling out the container. Further, the container execution server can reduce the processing amount that can be processed by the container by scaling in the container. That is, scale-out and scale-in are control processes for the degree of parallelism of containers.

  Scale-out deploys instances that can perform processing that can be performed in a container (ie, typically a copy of a running instance) to the same or different computing resources, and distributes processing requests to the deployed instances. Control processing. When the scale-out is executed, the processing amount that can be processed by the container increases.

  Scale-in is a process of canceling the deployment of an instance deployed in scale-out. When the scale-in is executed, for example, the consumption amount of the computing resource is adjusted to an appropriate amount with respect to the processing amount. That is, resource consumption is reduced.

  As will be described later, the messaging service distributes load among instances in accordance with the increase / decrease of instances due to scale-in and scale-out. When load balancing is performed between instances, a service that can withstand high loads is provided.

  For example, consider a container that provides a function of an application server that constitutes a web service including application logic that consumes a lot of resources during execution. By increasing the number of instances corresponding to the container from one to a plurality according to the number of requests per unit time, a high-load compatible service that can immediately respond to all requests from client terminals is provided.

  One organization includes one or more container groups. In addition, the container group includes one or more instances. An instance corresponding to each container belonging to the same group is a copy instance that is an instance normally generated from the same container image. Furthermore, a service is defined as an upper unit that bundles containers or container groups.

US Patent Application Publication No. 2012/0159523 US Patent Application Publication No. 2014/0283045

  No means is provided for monitoring communications performed between containers and detecting unauthorized operations such as instances corresponding to the containers using the monitoring results.

  Japanese Patent Application Laid-Open No. 2004-228561 describes a method of renting (hosting) a large number of middleware components for multiple tenants. In the method described in Patent Document 1, it is assumed that processing is added to container communication executed in the sandbox. A sandbox is an environment designed so that programs do not adversely affect other parts of the system. However, in the technique described in Patent Document 1, it is not assumed that the messaging service monitors container communication.

  Patent Document 2 describes a method for determining the presence or absence of communication abnormality based on the result of communication monitoring. However, in the method described in Patent Document 2, communication performed between containers is not included in the monitoring target.

  Accordingly, an object of the present invention is to provide a monitoring system, a monitoring method, and a monitoring program that can detect an unauthorized operation using a monitoring result of communication performed between containers.

  The monitoring system according to the present invention includes monitoring means for monitoring communications performed between a plurality of instances each sharing a kernel space in an operating system, each of which has a user space in a server operating system virtually divided. It is characterized by including.

  The monitoring method according to the present invention monitors communications performed between a plurality of instances each sharing a kernel space in an operating system, each of which has a user space in a server operating system virtually divided. And

  The monitoring program according to the present invention monitors communication performed between a plurality of instances each having a space in which a user space in a server operating system is virtually divided and sharing a kernel space in the operating system. A monitoring process is executed.

  According to the present invention, an unauthorized operation can be detected using a monitoring result of communication performed between containers.

It is a block diagram which shows the structural example of 1st Embodiment of the monitoring system by this invention. It is a flowchart which shows the operation | movement of the monitoring process by the monitoring system 10 of 1st Embodiment. It is a block diagram which shows the structural example of 2nd Embodiment of the monitoring system by this invention. FIG. 10 is an explanatory diagram illustrating an example of message transmission processing when a Publish / Subscribe type message queue is used. 2 is a block diagram illustrating a configuration example of a data center 100. FIG. It is a flowchart which shows the operation | movement of the communication monitoring setting process by the messaging service 140 of 2nd Embodiment. It is explanatory drawing which shows the example of the structure information of a service. It is explanatory drawing which shows the example of a Publisher list and a Subscriber list. It is explanatory drawing which shows the example of the correspondence of a service and a container. It is explanatory drawing which shows the example of the service selection screen from which the monitoring object is selected. It is a flowchart which shows the operation | movement of the monitoring result analysis process by the communication analysis service 160 of 2nd Embodiment. It is explanatory drawing which shows the example of the monitoring result which the messaging service 140 produced | generated. It is explanatory drawing which shows the other example of the monitoring result which the messaging service 140 produced | generated. It is explanatory drawing which shows the example of the report by the web screen by the messaging service 140. FIG. 4 is a block diagram showing another configuration example of the data center 100. FIG. It is explanatory drawing which shows the example of the container arrange | positioned at a data center. It is explanatory drawing which shows the other example of the container arrange | positioned at a data center.

Embodiment 1. FIG.
Embodiments of the present invention will be described below with reference to the drawings. FIG. 1 is a block diagram showing a configuration example of a first embodiment of a monitoring system according to the present invention. The monitoring system 10 according to the present invention performs a process between a plurality of instances (for example, activated containers) each having a space in which a user space in a server operating system is virtually divided and sharing a kernel space in the operating system. Monitoring means 11 (e.g. messaging service 140) for monitoring incoming communications.

  Hereinafter, the monitoring process by the monitoring system 10 will be described. FIG. 2 is a flowchart illustrating the operation of the monitoring process by the monitoring system 10 according to the first embodiment.

  The monitoring unit 11 monitors communication performed between instances activated by the monitoring target container (step S11). After monitoring, the monitoring system 10 ends the monitoring process.

  With such a configuration, the monitoring system can detect an unauthorized operation using a monitoring result of communication performed between containers.

  In addition, the monitoring system 10 includes a detection unit (for example, a communication analysis service 160) that detects abnormal communication among communication performed between a plurality of instances using a monitoring result that is a result of monitoring the communication by the monitoring unit 11. May be included.

  With such a configuration, the monitoring system can detect abnormal communication performed between containers.

  In addition, the monitoring unit 11 may total the message amount in communication performed between a plurality of instances, and may include the result of totaling the message amount in the monitoring result.

  With such a configuration, the monitoring system can detect abnormal communication using the total value of the number of messages or the number of bytes in communication performed between containers.

  Further, the detecting means may detect a communication in which a value indicated by a result of totaling the message amount exceeds a predetermined threshold as an abnormal communication.

  With such a configuration, the monitoring system can detect abnormal communication using a predetermined threshold corresponding to the range of normal communication.

  Further, the detecting means may detect a communication in which a plurality of values indicated by a result of totaling the message amount do not satisfy a predetermined relational expression as an abnormal communication.

  With such a configuration, the monitoring system can detect abnormal communication using a predetermined relational expression corresponding to normal communication.

  Moreover, the monitoring means 11 may report the content of the abnormal communication detected by the detection means by a predetermined method.

  With such a configuration, the monitoring system can report the contents of abnormal communication that has occurred to the container user.

  The monitoring unit 11 may monitor communication that satisfies a predetermined condition among communication performed between a plurality of instances.

  Further, the communication satisfying the predetermined condition may be communication performed between instances corresponding to containers defined in a predefined Publisher list or Subscriber list.

  Further, the communication that satisfies the predetermined condition may be communication performed between instances corresponding to containers that constitute a predefined service.

  With such a configuration, the monitoring system can reduce the burden on communication monitoring.

  In addition, the monitoring unit 11 may input a monitoring result sampled based on a predefined sampling rule to the detection unit.

  With such a configuration, the monitoring system can detect abnormal communication using a monitoring result that satisfies a predetermined condition.

Embodiment 2. FIG.
[Description of configuration]
Next, a second embodiment of the present invention will be described with reference to the drawings. FIG. 3 is a block diagram showing a configuration example of the second embodiment of the monitoring system according to the present invention. As shown in FIG. 3, the monitoring system 10 of this embodiment includes a data center 100, client terminals 201 to 20 </ b> K, and a communication network 300. K is an integer of 1 or more.

  As shown in FIG. 3, the data center 100 includes a gateway 110, a container execution server 121 to a container execution server 12M, a container 131 to a container 13N, a messaging service 140, a configuration management unit 150, and a communication analysis service. 160. M and N are each an integer of 1 or more.

  The gateway 110 has a function of accepting a connection from a client terminal. The gateway 110 may encrypt data transmitted and received by the client terminal via the communication network 300 by accepting a connection from the client terminal using, for example, TLS (Transport Layer Security).

  The gateway 110 may be a physical device or a VM (Virtual Machine). The gateway 110 may be configured to be redundant, and may be configured to load balance connections from client terminals. Further, the gateway 110 may be an interface that can be connected to another data center.

  The container execution server 121 to the container execution server 12M include platform software for deploying containers and executing the containers. The platform software is Docker, for example.

  The container execution server is, for example, a cluster server. The container execution server may be a physical server or a virtual server. Further, the container execution server 121 to the container execution server 12M are communicably connected via a communication network or the like.

  The container execution server physically or virtually has resources such as a CPU (Central Processing Unit), a memory, a disk, and a network. Resources that the container execution server has are provided to the OS executed by the container execution server.

  The OS provides resources to the platform software. When resources are provided from the OS, the platform software deploys the container in the container execution environment and executes the deployed container.

  The messaging service 140 has a function of mediating communication performed between the containers 131 to 13N. That is, the messaging service 140 behaves as a message bus for the containers 131 to 13N. Further, the messaging service 140 may transmit a request from the accepted client terminal to the container.

  Communication performed between containers in the present embodiment is performed in a message exchange format via the messaging service 140. Note that communication performed between containers may be performed in other formats.

  For the purpose of improving reliability, a Publish / Subscribe type message queue may be used for message transmission. When a Publish / Subscribe type message queue is used, a container that sends a message sends a message to the message bus after performing a Publish process on the message bus. A container that receives a message performs a Subscribe process on the message bus in advance and reserves reception of a message that satisfies a predetermined condition.

  FIG. 4 is an explanatory diagram showing an example of message transmission processing when a Publish / Subscribe type message queue is used. As shown in FIG. 4, the container 131 that transmits a message sends a message to the message bus after performing a Publish “aaa” process on the message bus. Further, the container 133 that receives the message performs the process of Subscribe “aaa” in advance on the message bus. Therefore, the message regarding “aaa” is reliably transmitted from the container 131 to the container 133.

  The messaging service 140 maintains information about where the container is deployed that is used to deliver the message to the destination container. Note that the messaging service 140 may acquire information regarding the container deployment destination when the container performs a Subscribe process on the message bus.

  For example, the messaging service 140 holds information on the deployment destinations of the containers 131 to 13N in a database. The database is, for example, an on-memory database.

  As will be described later, when a scale-out process is executed for a container and a plurality of instances are executed, a container group is formed. The database holds information related to the deployment destinations of the instances corresponding to the containers included in the container group.

  When the URL (Uniform Resource Locator) included in the access request from the client terminal indicates an instance corresponding to the container on which the scale-out process has been executed, the messaging service 140 specifies one of the instances included in the container group, for example. Select according to the rules. The messaging service 140 then routes the access request to the selected instance. The predetermined rule is, for example, round robin.

  The messaging service 140 has a function of monitoring messages. The messaging service 140 can target a predetermined message.

  For example, the messaging service 140 can target all messages. If all messages are monitored, the messaging service 140 can monitor the messages without omission.

  For example, the messaging service 140 may have at least one list of a Publisher list or a Subscriber list. In the case of having a list, the messaging service 140 can monitor messages regarding Publishers or messages regarding Subscribers included in the list. When the message related to the list is the monitoring target, the load related to the monitoring of the messaging service 140 is reduced.

  Also, for example, the messaging service 140 may have a list of instances corresponding to the containers that make up the service. In the case of having a list, the messaging service 140 can monitor a message related to an instance corresponding to a container constituting a service designated in advance by an administrator or the like.

  When a message related to the list is a monitoring target, a message related to a container constituting a desired service such as an important service is monitored while a load related to monitoring of the messaging service 140 is reduced.

  In addition, when the message to be monitored is monitored, the messaging service 140 creates a monitoring result by performing various processes.

  For example, the messaging service 140 may create the monitoring result by counting the number of messages. When the messaging service 140 provides the communication analysis service 160 with the total value of the number of messages as a monitoring result, the communication analysis service 160 can analyze the degree of density of communication performed between containers. For example, the communication analysis service 160 can extract a special event in which a large amount of communication is performed between containers that normally do not perform communication.

  Further, for example, the messaging service 140 may create a monitoring result by acquiring a message extracted based on a policy. The policy includes an access policy, a security policy, and the like. For example, assume that the messaging service 140 is preliminarily given a policy that prohibits unauthorized access to a data source in which highly confidential information is stored compared to other information.

  If a policy prohibiting unauthorized access is given in advance, the messaging service 140 acquires an access request to the data source indicated by the policy, for example. The access request to the data source is, for example, an access request to a predetermined URL, an access request to a predetermined file, or an access request to a predetermined table. The messaging service 140 acquires, for example, the number of accesses to the data source and the access frequency.

  The messaging service 140 can send the monitoring result to the communication analysis service 160. When the monitoring result is provided, the communication analysis service 160 can analyze the monitoring result based on, for example, a context regarding containers in which communication has been performed. For example, the communication analysis service 160 can detect an event in which a predetermined table is accessed more frequently than usual.

  The configuration management unit 150 has a function of storing and managing container images. The configuration management unit 150 manages the container image after grasping the service status, the container group status, and the container status.

  Note that the configuration management unit 150 may hold information related to the deployment destination of the instance corresponding to the container. When the information regarding the instance deployment destination is retained, the configuration management unit 150 may provide the retained information to the messaging service 140. In addition, the configuration management unit 150 may manage service configuration information, which will be described later.

  The communication analysis service 160 has a function of analyzing the monitoring result received from the messaging service 140. For example, the communication analysis service 160 analyzes the monitoring result by at least one of the following methods.

  For example, the communication analysis service 160 creates a profile (analysis result) indicating the status of the network traffic (communication volume) related to the container, and malicious software (also referred to as malware), virus, or abnormal event from the created profile. Is identified.

  Further, for example, the communication analysis service 160 identifies an operation that violates the policy. Operations that violate the policy include, for example, execution of applications using ports other than the standard port, logon of important containers and servers by containers and users with plain text user names and passwords, and unencryption in confidential areas within the network Use of the protocol.

  In addition, for example, the communication analysis service 160 finds a serious threat that may not be detected by comparing communication data related to the container with a log indicating an event transmitted from the security device.

  Specifically, the communication analysis service 160 can analyze the communication state as follows, for example.

  For example, the communication analysis service 160 can detect an abnormal event based on the total value of the number of messages provided from the messaging service 140. The amount of communication between containers such as the absolute amount and the frequency almost depends on the type of access from the client terminal and the access frequency.

  The communication analysis service 160 can define the normal range of the traffic between containers using the property of the traffic between containers. When the communication amount between containers exceeding the defined normal range is detected, the communication analysis service 160 notifies an abnormality related to the container related to the monitoring result.

  The normal range of communication volume between containers is defined by, for example, one of the following methods. The normal range may be defined after any one of the following methods is used alone, or may be defined after a plurality of methods are used in combination.

  1) Threshold type: For example, the communication analysis service 160 defines an upper limit or a lower limit of the communication amount between containers for each combination of containers, for each transmission container, or for each reception container. When the amount of communication between containers exceeds a defined upper limit or lower limit, the communication analysis service 160 notifies an alarm regarding, for example, a combined container, transmission container, or reception container. Note that the communication analysis service 160 may define both an upper limit and a lower limit of the traffic.

  2) Baseline type; for example, the communication analysis service 160 is provided for each periodic unit such as time, day of the week, month, year, etc. Define the normal range (hereinafter referred to as the baseline). That is, the communication analysis service 160 defines a threshold value that changes periodically.

  The result of counting the number of messages or the number of bytes of the message changes within a range corresponding to the number of requests while the service is stably provided. The communication analysis service 160 creates, for example, a baseline having a predetermined period of one cycle using an average value for N cycles. The predetermined period is, for example, one day.

  When the amount of communication between containers exceeds the baseline, the communication analysis service 160 notifies, for example, an alarm regarding any of the combined container, transmission container, or reception container.

  3) Statistical type; For example, the communication analysis service 160 defines a correlation with respect to two or more values of the traffic between containers for each combination of containers, for each transmission container, or for each reception container.

  The communication analysis service 160 may define the correlation using time-series values in a predetermined period. In order to define the modeled correlation, the communication analysis service 160 may use a linear function, an autoregressive linear function, a probability distribution, or the like, or may use a statistical method such as Mahalanobis distance. The Mahalanobis distance is a distance in the Mahalanobis model.

  When the defined correlation is no longer maintained, the communication analysis service 160 notifies an alert regarding a container related to a value that does not maintain the correlation, for example. When a linear function or an autoregressive linear function is used for the correlation, the communication analysis service 160 determines that, for example, the predicted value of the other communication amount predicted from one communication amount based on the correlation is the observed value and the predetermined value. An alarm is notified when the value deviates more than the value.

  In addition, when a probability distribution is used for the correlation, the communication analysis service 160 notifies an alarm when, for example, the probability that an observed value of the other communication amount is obtained for one communication amount is equal to or less than a predetermined value. . That is, the communication analysis service 160 notifies an alarm when the observed value of the other traffic is a value that is not normally observed.

  In addition, when the Mahalanobis distance is used for the correlation, the communication analysis service 160 notifies an alarm when the Mahalanobis distance calculated using, for example, two or more values of the traffic between containers is equal to or greater than a predetermined value. .

[Description of operation]
Hereinafter, the operation of the monitoring system 10 of the present embodiment will be described with reference to FIGS.

  FIG. 5 is a block diagram illustrating a configuration example of the data center 100. As shown in FIG. 5, the container execution server 121 executes a container 131 and a container 132. Further, the container execution server 122 executes the container 133 and the container 134. The names of the container 131, the container 132, the container 133, and the container 134 are Container_101, Container_102, Container_200, and Container_300, respectively.

  Further, as shown in FIG. 5, Container_101 and Container_102 belong to Container_Group_1 which is a container group. As shown in FIG. 5, Container_101 is communicably connected to Container_200 via a communication path 171. Further, Container_102 is communicably connected to Container_200 via a communication path 172. Container_200 is communicably connected to Container_300 via a communication path 173.

  The operation of the monitoring system 10 will be described on the assumption that the configuration of the data center 100 in this example is the configuration shown in FIG. First, a process for setting the monitoring of communication performed between the containers by the messaging service 140 will be described. FIG. 6 is a flowchart illustrating the operation of the communication monitoring setting process by the messaging service 140 according to the second embodiment.

  The messaging service 140 acquires service configuration information designated by the user (step S101).

  FIG. 7 is an explanatory diagram illustrating an example of service configuration information. In step S101, the messaging service 140 acquires configuration information as shown in FIG.

  As shown in FIG. 7, the service configuration information indicates a hierarchical structure of containers. In the container hierarchical structure, a service is the highest-level constituent unit. The service also includes service details. That is, the service is used as a service detail search key.

  As shown in FIG. 7, the service details include a container group and a container. The container group includes details of the container group. That is, the container group is used as a search key for container group details.

  Further, as shown in FIG. 7, the container group details include containers. The messaging service 140 can obtain information on containers constituting the service by using the service designated by the user as a search key.

  Next, the messaging service 140 performs monitoring setting for communication performed between containers on each communication path (step S102). Note that if there is a monitoring setting in which the setting target communication path is deleted, the messaging service 140 deletes the target monitoring setting in step S102.

  For example, when all messages are monitored, the messaging service 140 performs monitoring setting so that all messages input to the messaging service 140 are monitored.

  For example, when monitoring based on a Publisher list or a Subscriber list, the messaging service 140 acquires the Publisher list or the Subscriber list in advance. FIG. 8 is an explanatory diagram illustrating an example of a Publisher list and a Subscriber list.

  Given a Publisher list or Subscriber list, the messaging service 140 checks the source of the input message or the destination of the message against the provided list. By matching, the messaging service 140 determines whether the input message is a message to be monitored.

  Further, when a service designated in advance by an administrator or the like is to be monitored, the messaging service 140 obtains a list indicating the correspondence between the service and the container in advance. The messaging service 140 also acquires a list of services to be monitored in advance. The messaging service 140 determines whether the message is related to a container constituting the service to be monitored.

  FIG. 9 is an explanatory diagram illustrating an example of a correspondence relationship between a service and a container. The service name shown in FIG. 9 is the defined service name shown in FIG. Further, the monitoring shown in FIG. 9 indicates whether the service is a monitoring target service or a non-monitoring target service. True means it is a monitored service. Further, False means that the service is not monitored. Further, the container list shown in FIG. 9 includes containers to be monitored in the service indicated by the service name.

  In addition, the user may input the monitored service and container to the messaging service 140 via the screen interface. FIG. 10 is an explanatory diagram illustrating an example of a service selection screen on which a monitoring target is selected. FIG. 10 shows a service selection screen and a container selection screen.

  When the service selection screen shown in FIG. 10 is used, the user selects a service to be monitored from the list in which the services are listed, and presses an “OK” button to confirm the selection contents. Next, a container selection screen is displayed.

  After the container selection screen is displayed, the user selects a container so that all containers constituting the service are to be monitored, and presses an “OK” button to confirm the selection. Alternatively, after the container selection screen is displayed, the user further selects a container so that a part of all the containers constituting the service becomes a monitoring target, and presses an “OK” button to select the content. May be confirmed.

  Next, the messaging service 140 checks whether or not there is a communication path to be monitored and a deletion target monitoring setting for which no communication path exists (step S103). If there is a communication path that has not been set for monitoring and a monitoring setting that has not been deleted (Yes in step S103), the messaging service 140 performs the process of step S102 again.

  If there is no communication path for which monitoring setting has not been performed and no monitoring setting has not been deleted (No in step S103), the messaging service 140 ends the communication monitoring setting process.

  For example, when the scale-out is performed on the container group, that is, when an instance is added, the messaging service 140 executes the communication monitoring setting process illustrated in FIG. 6 in order to add the added instance to the monitoring target. .

  Further, for example, when the scale-in is performed on the container group, that is, when the instance is deleted, the messaging service 140 performs the communication monitoring setting process shown in FIG. 6 in order to delete the deleted instance from the monitoring target. Run.

  Next, a process in which the communication analysis service 160 analyzes a monitoring result of communication performed between containers will be described. FIG. 11 is a flowchart illustrating the operation of the monitoring result analysis process by the communication analysis service 160 according to the second embodiment.

  The messaging service 140 starts monitoring communication performed between containers based on the monitoring setting (step S201).

  After monitoring of communication performed between containers is started, the messaging service 140 creates a monitoring result by, for example, counting the number of messages. For example, when Container_101 performs Publish processing 100 times and Container_200 performs Subscribe processing for all Publish processing, the messaging service 140 acquires “100” as the number of messages.

  FIG. 12 is an explanatory diagram illustrating an example of a monitoring result generated by the messaging service 140. The monitoring result shown in FIG. 12 is an example of the result of acquiring the number of messages.

  The Publisher shown in FIG. 12 indicates a container that is a Publisher. Subscriber indicates a container that is a Subscriber. Count indicates the amount of acquired messages. In Count, any number, number of bytes, or frequency (= number / time) may be recorded. Note that the monitoring result regarding the combination of Publisher and Subscriber for which communication has not been observed need not be created.

  In addition, after monitoring of communication performed between containers is started, the messaging service 140 may create a monitoring result by, for example, acquiring a message to be acquired indicated by a policy.

  FIG. 13 is an explanatory diagram illustrating another example of the monitoring result generated by the messaging service 140. The monitoring result shown in FIG. 13 is another example of the message number acquisition result.

  The Publisher shown in FIG. 13 indicates a container that is a Publisher. The data source indicates the accessed data source. For example, the data source is represented by a combination of a container that is a Subscriber and a table in the container that is a Subscriber.

  Count indicates the amount of acquired messages. In Count, any number, number of bytes, or frequency (= number / time) may be recorded. Note that the monitoring result regarding the combination of the Publisher and the data source for which communication has not been observed need not be created.

  Next, the messaging service 140 transmits the monitoring result to the communication analysis service 160 (step S202). For example, the messaging service 140 transmits the monitoring result at a predetermined time interval. The time interval is, for example, 5 minutes.

  Next, the communication analysis service 160 receives the transmitted monitoring result and analyzes the received monitoring result (step S203). Specifically, the communication analysis service 160 analyzes the monitoring result by any one of the above-described threshold type, baseline type, and statistical type methods. Note that the communication analysis service 160 may analyze the monitoring result by other methods.

  Hereinafter, a statistical analysis method using a linear function will be described. The aggregation result regarding the number of messages or the number of bytes of the message changes within a range corresponding to the number of requests while the service is stably provided.

  For example, the number of message bytes (X) in the communication path 173 per unit time within a predetermined time is a number proportional to the number of accesses to the database. The number of message bytes (Y) in the communication path 171 and the communication path 172 within the same predetermined time is a number proportional to the number of response rows from the database. That is, the relationship Y = a * X is established. A is a proportionality constant.

  The communication analysis service 160 establishes the above relationship as a linear model in advance. If the relationship between the X and Y per unit time within the predetermined time and the linear model that has been established greatly deviates from the relationship indicated by the established linear model, the communication analysis service 160 outliers at least one of X and Y. Detect as. If an outlier is detected, the communication analysis service 160 determines the presence of abnormal communication.

  The communication analysis service 160 confirms whether or not abnormal contents are detected from the monitoring result analyzed by any one of the threshold type, baseline type, and statistical type in step S203 (step S204). If no abnormal content is detected (No in step S204), the communication analysis service 160 performs the process of step S203 again.

  If abnormal content is detected (Yes in step S204), the communication analysis service 160 determines the presence of abnormal communication. When the presence of abnormal communication is determined, the messaging service 140 reports the fact of the presence of abnormal communication (step S205). Specifically, the messaging service 140 reports the fact of the presence of abnormal communication by a method such as mail, SMS (Short Message Service), or web screen display.

  FIG. 14 is an explanatory diagram showing an example of a report on the web screen by the messaging service 140. The screen shown in FIG. 14 is a “PaaS abnormality detection” screen. For example, the service provider can display a “PaaS abnormality detection” screen via a management menu provided on the PaaS management screen.

  In the “Detected activity” column of the “PaaS abnormality detection” screen shown in FIG. 14, the time when the abnormality is detected and the importance of the detected abnormality are displayed. Specifically, FIG. 14 shows that an abnormality has occurred in communication or the like performed from Container_300 to Container_200 at 9:02 on 2015/12/25.

  That is, the service provider can refer to the abnormality detection result regarding the designated service on the “PaaS abnormality detection” screen. In the “detected activity” column, the details of the detected abnormality may be displayed more specifically or together with more information.

  The data center 100 may include only the containers 131 to 13N, the messaging service 140, and the communication analysis service 160. FIG. 15 is a block diagram illustrating another configuration example of the data center 100.

  Further, the data center 100 may include only the messaging service 140. The data center 100 including only the messaging service 140 monitors communication performed between containers executed by an external container execution server, and transmits a monitoring result to a communication analysis server connected to be communicable. Also good.

[Description of effects]
The monitoring system 10 of this embodiment can detect an unauthorized operation using a monitoring result of communication performed between containers. The reason is that the messaging service 140 monitors communication performed between containers, inputs a monitoring result to the communication analysis service 160, and the communication analysis service 160 analyzes the input monitoring result, thereby causing an illegal operation. This is because an abnormal event is detected.

  Note that the data center 100 of this embodiment is realized by, for example, a CPU that executes processing according to a program stored in a storage medium. That is, the gateway 110, the messaging service 140, and the communication analysis service 160 are realized by a CPU that executes processing according to program control, for example.

  The configuration management unit 150 is realized by, for example, a RAM (Random Access Memory).

  In addition, each unit in the data center 100 according to the present embodiment may be realized by a hardware circuit.

10 monitoring system 11 monitoring means _{20,20 1 ~20 n, 30,30 1 ~30} m, 40,40 1 ~40 k, 131~13N container 100 data center 110 Gateway 121~12M container executing server 140 messaging service 150 configuration Management means 160 Communication analysis service 171 to 173 Communication path 201 to 20K Client terminal 300 Communication network

Claims (10)

And a monitoring unit that monitors communications performed between a plurality of instances each of which has a virtually divided user space in the operating system of the server and shares the kernel space in the operating system. Monitoring system. The monitoring system according to claim 1, further comprising detection means for detecting abnormal communication among communication performed between a plurality of instances using a monitoring result which is a result of monitoring the communication by the monitoring means. The monitoring system according to claim 2, wherein the monitoring unit totals a message amount in communication performed between a plurality of instances, and includes a result obtained by totalizing the message amount in a monitoring result. The monitoring system according to claim 3, wherein the detection unit detects communication in which a value indicated by a result of summing up message amounts exceeds a predetermined threshold as abnormal communication. 5. The monitoring system according to claim 3, wherein the detection unit detects, as abnormal communication, communication in which a plurality of values indicated by a result of summing up message amounts do not satisfy a predetermined relational expression. The monitoring system according to any one of claims 2 to 5, wherein the monitoring unit reports the contents of the abnormal communication detected by the detection unit by a predetermined method. A monitoring method characterized by monitoring communication performed between a plurality of instances each having a user space in a server operating system virtually divided and sharing a kernel space in the operating system. The monitoring method according to claim 7, wherein abnormal communication is detected among communication performed between a plurality of instances using a monitoring result that is a result of monitoring communication. On the computer,
A monitoring program for executing a monitoring process for monitoring communication performed between a plurality of instances each having a user space in the operating system of the server that is virtually divided and sharing the kernel space in the operating system . On the computer,
The monitoring program according to claim 9, wherein a detection process for detecting abnormal communication among communication performed between a plurality of instances is executed using a monitoring result that is a result of monitoring communication.

Images