TWI827203B - Verification system and verification method for malicious file of container - Google Patents

Verification system and verification method for malicious file of container Download PDF

Info

Publication number
TWI827203B
TWI827203B TW111131111A TW111131111A TWI827203B TW I827203 B TWI827203 B TW I827203B TW 111131111 A TW111131111 A TW 111131111A TW 111131111 A TW111131111 A TW 111131111A TW I827203 B TWI827203 B TW I827203B
Authority
TW
Taiwan
Prior art keywords
container
interface
file
transcription
running
Prior art date
Application number
TW111131111A
Other languages
Chinese (zh)
Other versions
TW202409872A (en
Inventor
廖哲慶
卓政逸
華荐治
周國森
施君熹
Original Assignee
中華電信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中華電信股份有限公司 filed Critical 中華電信股份有限公司
Priority to TW111131111A priority Critical patent/TWI827203B/en
Application granted granted Critical
Publication of TWI827203B publication Critical patent/TWI827203B/en
Publication of TW202409872A publication Critical patent/TW202409872A/en

Links

Images

Landscapes

  • Debugging And Monitoring (AREA)

Abstract

A verification system and a verification method for malicious file of a container are provided. The verification method includes: obtaining an operating parameter from a container operating interface of the container and copying the container operating interface to generate a container transcribed interface; accessing, by the container transcribed interface, a container file system to operate according to the container file system and the operating parameter, so as to generate an output parameter; and determining whether an abnormal event has occurred according to the output parameter and determining that the contained includes a malicious file and prohibiting an operating of the container in response to determining the abnormal event being occurred.

Description

容器之惡意檔案的驗證系統和驗證方法Verification system and verification method for malicious files in containers

本發明是有關於一種容器(container)之惡意檔案的驗證系統和驗證方法。 The present invention relates to a verification system and verification method for malicious files in a container.

容器(例如:Docker容器)包含了應用程式以及執行該應用程式所需要的環境(例如:程式庫或組態檔等)。容器具有可攜性高的優點,可被部署到任何硬體設備以執行。當容器包含惡意檔案時,執行容器可能導致容器毀損。因此,如何判斷容器是否包含會導致發生異常的惡意檔案,是本領域重要的課題之一。 A container (such as a Docker container) contains an application and the environment required to execute the application (such as a program library or configuration file, etc.). Containers have the advantage of high portability and can be deployed to any hardware device for execution. When the container contains malicious files, executing the container may cause the container to be damaged. Therefore, how to determine whether a container contains malicious files that can cause anomalies is one of the important topics in this field.

本發明提供一種容器之惡意檔案的驗證系統和驗證方法,可驗證容器是否包含惡意檔案。 The present invention provides a verification system and verification method for malicious files in a container, which can verify whether the container contains malicious files.

本發明的一種容器之惡意檔案的驗證系統,包含儲存媒體以及處理器。儲存媒體儲存多個模組。處理器耦接儲存媒體和收發器,並且存取和執行多個模組,其中多個模組包含容器轉錄 管理介面、容器轉錄介面以及容器運行分析介面。容器轉錄管理介面自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面。容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和運行參數運行,從而產生輸出參數。容器運行分析介面根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而判斷容器包含惡意檔案並禁止容器運行。 The present invention provides a verification system for malicious files in containers, including a storage medium and a processor. Storage media stores multiple modules. The processor is coupled to the storage medium and the transceiver, and accesses and executes a plurality of modules, wherein the plurality of modules include container transcription Management interface, container transcription interface and container operation analysis interface. The container transcription management interface obtains operating parameters from the container's container runtime interface, and copies the container runtime interface to generate a container transcription interface. The container transcription interface accesses the container's container file system to operate according to the container file system and operating parameters, thereby generating output parameters. The container running analysis interface determines whether an abnormal event occurs based on the output parameters, and in response to determining that an abnormal event occurs, determines that the container contains a malicious file and prohibits the container from running.

在本發明的一實施例中,上述的容器運行分析介面響應於判斷未發生異常事件而指示容器運行。 In one embodiment of the present invention, the above container operation analysis interface instructs the container to run in response to determining that no abnormal event has occurred.

在本發明的一實施例中,上述的多個模組更包含容器檔案特徵資料庫以及容器檔案分析介面。容器檔案特徵資料庫儲存對應於容器檔案系統中的檔案的檔案特徵。容器檔案分析介面讀取檔案的標頭以判斷標頭與檔案特徵是否匹配,並且響應於判斷標頭與檔案特徵匹配而指示容器轉錄管理介面產生容器轉錄介面。 In an embodiment of the present invention, the above-mentioned plurality of modules further include a container file feature database and a container file analysis interface. The container file characteristics database stores file characteristics corresponding to files in the container file system. The container file analysis interface reads the header of the file to determine whether the header matches the file characteristics, and in response to determining that the header matches the file characteristics, instructs the container transcription management interface to generate a container transcription interface.

在本發明的一實施例中,上述的容器檔案分析介面自容器轉錄管理介面取得運行參數,其中容器檔案分析介面判斷運行參數與檔案特徵是否匹配,並且響應於判斷運行參數與檔案特徵匹配而指示容器轉錄管理介面產生容器轉錄介面。 In an embodiment of the present invention, the above-mentioned container file analysis interface obtains operating parameters from the container transcription management interface, wherein the container file analysis interface determines whether the operating parameters match the file characteristics, and indicates in response to determining that the operating parameters match the file characteristics. The container transcription management interface generates a container transcription interface.

在本發明的一實施例中,上述的輸出參數包含容器狀態資訊、中央處理單元使用率資訊以及記憶體使用率資訊。 In an embodiment of the present invention, the above-mentioned output parameters include container status information, central processing unit usage information, and memory usage information.

在本發明的一實施例中,上述的中央處理單元使用率資訊包含當前中央處理單元使用率,其中容器運行分析介面根據容 器狀態資訊判斷容器轉錄介面是否停止運行,並且響應於判斷容器轉錄介面停止運行並且當前中央處理單元使用率不為零而判斷發生異常事件。 In an embodiment of the present invention, the above-mentioned central processing unit usage information includes the current central processing unit usage, wherein the container operation analysis interface is based on the content. The server status information determines whether the container transcription interface stops running, and in response to determining that the container transcription interface stops running and the current central processing unit usage is not zero, it is determined that an abnormal event occurs.

在本發明的一實施例中,上述的記憶體使用率資訊包含當前記憶體使用率,其中容器運行分析介面根據容器狀態資訊判斷容器轉錄介面是否停止運行,並且響應於判斷容器轉錄介面停止運行並且當前記憶體使用率不為零而判斷發生異常事件。 In one embodiment of the present invention, the above memory usage information includes the current memory usage, wherein the container operation analysis interface determines whether the container transcription interface stops running based on the container status information, and in response to determining that the container transcription interface stops running and The current memory usage is not zero and an abnormal event occurs.

在本發明的一實施例中,上述的中央處理單元使用率資訊包含多筆中央處理單元使用率,其中容器運行分析介面響應於多筆中央處理單元使用率的其中之一超出使用率限制而判斷發生異常事件。 In one embodiment of the present invention, the above-mentioned central processing unit usage information includes multiple central processing unit usages, wherein the container operation analysis interface determines in response to one of the multiple central processing unit usages exceeding the usage limit. An unusual event occurs.

在本發明的一實施例中,上述的記憶體使用率資訊包含多筆記憶體使用率,其中容器運行分析介面響應於多筆記憶體使用率的其中之一超出使用率限制而判斷發生異常事件。 In one embodiment of the present invention, the above memory usage information includes multiple memory usages, wherein the container operation analysis interface determines that an abnormal event occurs in response to one of the multiple memory usages exceeding the usage limit. .

在本發明的一實施例中,上述的運行參數包含下列的至少其中之一:容器識別碼、容器指令、容器狀態、中央處理單元使用率以及記憶體使用率。 In an embodiment of the present invention, the above-mentioned operating parameters include at least one of the following: container identification code, container instruction, container status, central processing unit usage, and memory usage.

本發明的一種容器之惡意檔案的驗證方法,包含:自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面;由容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和運行參數運行,從而產生輸出參數;以及根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而 判斷容器包含惡意檔案並禁止容器運行。 The present invention provides a method for verifying malicious files in a container, which includes: obtaining operating parameters from the container's container running interface, and copying the container running interface to generate a container transcription interface; and using the container transcription interface to access the container file system of the container to generate the container file according to the container's file system. run the system and operating parameters to generate output parameters; and determine whether an abnormal event occurs based on the output parameters, and respond to determining that an abnormal event occurs Determine that the container contains malicious files and prohibit the container from running.

基於上述,本發明揭露一種容器之惡意檔案的驗證系統和驗證方法,可在容器執行容器檔案系統內之檔案前,根據檔案的運行參數以及容器檔案特徵資料庫所記錄的檔案特徵對檔案進行分析。若檔案與檔案特徵匹配,本發明可先轉錄相對應之容器執行環境以使轉錄容器執行環境與原始容器環境隔離,再執行轉錄容器。本發明可依據轉錄容器之執行結果判斷容器內是否包含惡意檔案,從而決定允許或禁止容器運行。如此,可避免包含惡意檔案的容器被執行而導致容器毀損。 Based on the above, the present invention discloses a verification system and verification method for malicious files in a container. Before the container executes the file in the container file system, the file can be analyzed based on the operating parameters of the file and the file characteristics recorded in the container file feature database. . If the file and file characteristics match, the present invention can first transcribe the corresponding container execution environment to isolate the transcribed container execution environment from the original container environment, and then execute the transcribed container. The present invention can determine whether the container contains malicious files based on the execution result of the transcribed container, thereby deciding to allow or prohibit the container from running. In this way, it is possible to prevent the container containing malicious files from being executed and causing the container to be damaged.

10:驗證系統 10: Verification system

100:容器檔案分析介面 100: Container file analysis interface

11:處理器 11: Processor

110:容器可移植性可執行檔頭分析 110:Container portability executable header analysis

12:儲存媒體 12:Storage media

120:容器參數分析介面 120: Container parameter analysis interface

13:收發器 13:Transceiver

200:容器轉錄管理介面 200:Container transcription management interface

21:容器運行介面 21:Container running interface

22:容器檔案系統 22: Container file system

300:容器轉錄介面 300:Container transcription interface

310:容器運行轉錄介面 310:Container running transcription interface

400:容器運行分析介面 400: Container operation analysis interface

410:容器狀態分析介面 410: Container status analysis interface

420:容器資訊合成介面 420: Container information synthesis interface

500:容器檔案特徵資料庫 500: Container profile feature database

S610、S620、S630:步驟 S610, S620, S630: steps

圖1根據本發明的一實施例繪示一種容器之惡意檔案的驗證系統的示意圖。 FIG. 1 is a schematic diagram of a verification system for malicious files in a container according to an embodiment of the present invention.

圖2根據本發明的一實施例繪示驗證系統以及待執行之容器的示意圖。 Figure 2 is a schematic diagram of a verification system and a container to be executed according to an embodiment of the present invention.

圖3根據本發明的一實施例繪示容器檔案分析介面的詳細示意圖。 FIG. 3 is a detailed schematic diagram of a container file analysis interface according to an embodiment of the present invention.

圖4根據本發明的一實施例繪示容器轉錄介面的詳細示意圖。 Figure 4 is a detailed schematic diagram of a container transcription interface according to an embodiment of the present invention.

圖5根據本發明的一實施例繪示容器運行分析介面的詳細示意圖。 Figure 5 is a detailed schematic diagram of a container operation analysis interface according to an embodiment of the present invention.

圖6根據本發明的一實施例繪示一種容器之惡意檔案的驗證方法的流程圖。 FIG. 6 illustrates a flow chart of a method for verifying malicious files in a container according to an embodiment of the present invention.

圖1根據本發明的一實施例繪示一種容器之惡意檔案的驗證系統10的示意圖。驗證系統10可包含處理器11、儲存媒體12以及收發器13。 FIG. 1 is a schematic diagram of a verification system 10 for malicious files in a container according to an embodiment of the present invention. The authentication system 10 may include a processor 11 , a storage medium 12 and a transceiver 13 .

處理器11例如是中央處理單元(central processing unit,CPU),或是其他可程式化之一般用途或特殊用途的微控制單元(micro control unit,MCU)、微處理器(microprocessor)、數位信號處理器(digital signal processor,DSP)、可程式化控制器、特殊應用積體電路(application specific integrated circuit,ASIC)、圖形處理器(graphics processing unit,GPU)、影像訊號處理器(image signal processor,ISP)、影像處理單元(image processing unit,IPU)、算數邏輯單元(arithmetic logic unit,ALU)、複雜可程式邏輯裝置(complex programmable logic device,CPLD)、現場可程式化邏輯閘陣列(field programmable gate array,FPGA)或其他類似元件或上述元件的組合。處理器11可耦接至儲存媒體12以及收發器13,並且存取和執行儲存於儲存媒體12中的多個模組和各種應用程式。 The processor 11 is, for example, a central processing unit (CPU), or other programmable general-purpose or special-purpose micro control unit (MCU), microprocessor, or digital signal processing unit. Digital signal processor (DSP), programmable controller, application specific integrated circuit (ASIC), graphics processing unit (GPU), image signal processor (ISP) ), image processing unit (IPU), arithmetic logic unit (ALU), complex programmable logic device (CPLD), field programmable gate array (field programmable gate array) , FPGA) or other similar components or a combination of the above components. The processor 11 can be coupled to the storage medium 12 and the transceiver 13, and access and execute multiple modules and various applications stored in the storage medium 12.

儲存媒體12例如是任何型態的固定式或可移動式的隨機存取記憶體(random access memory,RAM)、唯讀記憶體(read-only memory,ROM)、快閃記憶體(flash memory)、硬碟(hard disk drive,HDD)、固態硬碟(solid state drive,SSD)或類似元件或上述元件的組合,而用於儲存可由處理器11執行的多個模組或各種應用程式。在本實施例中,儲存媒體12可儲存包含容器檔案分析介面100、容器轉錄管理介面200、容器轉錄介面300、容器運行分析介面400以及容器檔案特徵資料庫500等多個模組,其功能將於後續說明。 The storage medium 12 is, for example, any type of fixed or removable random access memory (RAM) or read-only memory. memory (ROM), flash memory (flash memory), hard disk drive (HDD), solid state drive (SSD) or similar components or a combination of the above components, and used for storage can be used by the processor 11 Execution of multiple modules or various applications. In this embodiment, the storage medium 12 can store multiple modules including the container file analysis interface 100, the container transcription management interface 200, the container transcription interface 300, the container operation analysis interface 400, and the container file feature database 500. Their functions will be Explained later.

收發器13以無線或有線的方式傳送及接收訊號。收發器13還可以執行例如低噪聲放大、阻抗匹配、混頻、向上或向下頻率轉換、濾波、放大以及類似的操作。 The transceiver 13 transmits and receives signals in a wireless or wired manner. Transceiver 13 may also perform, for example, low noise amplification, impedance matching, mixing, up or down frequency conversion, filtering, amplification, and similar operations.

圖2根據本發明的一實施例繪示驗證系統10以及待執行之容器的示意圖。驗證系統10可通過收發器13存取或執行容器的容器運行介面21以及容器檔案系統22,藉以運行容器。容器運行介面21或容器檔案系統22可安裝於儲存媒體12,或可安裝於外部電子裝置。容器運行介面21例如是一種應用程式介面(application programming interface,API)。驗證系統10可通過容器運行介面21與容器進行互動。容器檔案系統22可包含運行容器所需的一或多個檔案。容器檔案系統22可包含二進位執行檔(binaries)或函式庫(libraries)等資料。容器檔案分析介面100可通訊連接至容器檔案系統22以存取或執行容器檔案系統22。容器轉錄管理介面200或容器運行分析介面400可通訊連接至容器運行介面21以存取或執行容器運行介面21。 FIG. 2 is a schematic diagram of the verification system 10 and the container to be executed according to an embodiment of the present invention. The verification system 10 can access or execute the container running interface 21 and the container file system 22 of the container through the transceiver 13 to run the container. The container execution interface 21 or the container file system 22 may be installed on the storage medium 12 or may be installed on an external electronic device. The container running interface 21 is, for example, an application programming interface (API). The verification system 10 can interact with the container through the container runtime interface 21 . Container file system 22 may contain one or more files required to run the container. The container file system 22 may include data such as binary execution files (binaries) or function libraries (libraries). The container file analysis interface 100 can be communicatively connected to the container file system 22 to access or execute the container file system 22 . The container transcription management interface 200 or the container operation analysis interface 400 can be communicatively connected to the container operation interface 21 to access or execute the container operation interface 21 .

圖3根據本發明的一實施例繪示容器檔案分析介面100的詳細示意圖。容器檔案分析介面100可包含容器可移植性可執行檔頭分析110以及容器參數分析介面120。容器檔案分析介面100可通過容器可移植性可執行檔頭分析110自容器檔案系統22取得運行容器所需的檔案。容器可移植性可執行檔頭分析110可讀取檔案的標頭,其中所述標頭例如是可移植性可執行(portable executable,PE)標頭。容器參數分析介面120可自容器可移植性可執行檔頭分析110取得標頭。另一方面,容器轉錄管理介面200可存取容器運行介面21以從容器運行介面21取得容器的運行參數。容器參數分析介面120可自容器轉錄管理介面200取得運行參數,其中運行參數可包含容器識別碼、容器指令、容器狀態、中央處理單元使用率或記憶體使用率等資訊。運行參數也可以是由使用者自定義的。 FIG. 3 shows a detailed schematic diagram of the container file analysis interface 100 according to an embodiment of the present invention. The container file analysis interface 100 may include a container portability executable header analysis 110 and a container parameter analysis interface 120. The container file analysis interface 100 can obtain the files required to run the container from the container file system 22 through the container portability executable header analysis 110 . Container portable executable header analysis 110 may read the header of the archive, where the header is, for example, a portable executable (PE) header. The container parameter analysis interface 120 may obtain the header from the container portability executable header analysis 110 . On the other hand, the container transcription management interface 200 can access the container running interface 21 to obtain the running parameters of the container from the container running interface 21 . The container parameter analysis interface 120 can obtain operating parameters from the container transcription management interface 200, where the operating parameters can include information such as container identification codes, container instructions, container status, central processing unit usage or memory usage. Running parameters can also be customized by the user.

容器參數分析介面120可對檔案的標頭或運行參數執行特徵比對,以判斷檔案是否為可允許的類型。具體來說,容器檔案特徵資料庫500可預存對應於容器檔案系統22中的檔案的檔案特徵,其中檔案特徵可包含但不限於標頭中的資訊與附檔名的映射關係、黑名單、白名單、中央處理單元使用率的限制或記憶體使用率的限制等。容器參數分析介面120可判斷檔案的標頭或運行參數與容器的檔案特徵是否匹配。若檔案的標頭或運行參數與檔案特徵匹配,則容器參數分析介面120可判斷檔案是可允許的,進而指示容器轉錄管理介面200執行容器的轉錄作業。若檔案的 標頭或運行參數與檔案特徵不匹配,則容器參數分析介面120可判斷檔案是不可允許的,進而禁止容器運行。如此,可避免包含惡意檔案或被系統管理員禁用之檔案的容器被執行。 The container parameter analysis interface 120 can perform feature comparison on the header or operating parameters of the file to determine whether the file is of an allowable type. Specifically, the container file feature database 500 can pre-store file features corresponding to the files in the container file system 22, where the file features can include but are not limited to the mapping relationship between the information in the header and the file extension, blacklist, whitelist, etc. list, limits on central processing unit usage or limits on memory usage, etc. The container parameter analysis interface 120 can determine whether the header or operating parameters of the file match the file characteristics of the container. If the header or operating parameters of the file match the file characteristics, the container parameter analysis interface 120 may determine that the file is allowed, and then instruct the container transcription management interface 200 to perform the container transcription operation. If the file If the header or running parameters do not match the file characteristics, the container parameter analysis interface 120 may determine that the file is not allowed, and then prohibit the container from running. This prevents containers containing malicious files or files that have been disabled by the system administrator from being executed.

舉例來說,若運行容器的檔案為「test.html」,則容器可移植性可執行檔頭分析110可自檔案的標頭取得「HTML document,UTF-8 Unicode text,with very long line」、「容器檔案系統為Docker volume」以及「作業系統為Linux」等標頭資訊。容器可移植性可執行檔頭分析110可將標頭資訊與運行參數整合並傳送至容器參數分析介面120以進行特徵比對。 For example, if the file running the container is "test.html", the container portability executable header analysis 110 can obtain "HTML document, UTF-8 Unicode text, with very long line", Header information such as "Container file system is Docker volume" and "Operating system is Linux". The container portability executable header analysis 110 can integrate header information and operating parameters and transmit them to the container parameter analysis interface 120 for feature comparison.

在一實施例中,若檔案的附檔名與標頭之間的映射關係與檔案特徵不匹配,或檔案的名稱不在白名單內,代表檔案為假冒的執行檔。據此,容器參數分析介面120可禁止容器運行。 In one embodiment, if the mapping relationship between the file's file extension name and the header does not match the file characteristics, or the file name is not in the whitelist, it means that the file is a fake executable file. Accordingly, the container parameter analysis interface 120 can prohibit the container from running.

圖4根據本發明的一實施例繪示容器轉錄介面300的詳細示意圖。在容器參數分析介面120判斷檔案是可允許的並指示容器轉錄管理介面200進行轉錄作業後,容器轉錄管理介面200可複製容器運行介面21以及容器以產生容器轉錄介面300,其中容器轉錄介面300可包含複製容器運行介面21所產生的容器運行轉錄介面310以及複製容器所產生的轉錄容器。容器轉錄介面300可為例如Docker或Podman的容器系統,且可支援多種檔案系統中的檔案,諸如各種Unix Like系列之檔案系統及Windows系列之檔案系統。 FIG. 4 shows a detailed schematic diagram of the container transcription interface 300 according to an embodiment of the present invention. After the container parameter analysis interface 120 determines that the file is allowed and instructs the container transcription management interface 200 to perform the transcription operation, the container transcription management interface 200 can copy the container running interface 21 and the container to generate the container transcription interface 300, where the container transcription interface 300 can It includes a container running transcription interface 310 generated by copying the container running interface 21 and a transcription container generated by copying the container. The container transcription interface 300 may be a container system such as Docker or Podman, and may support files in a variety of file systems, such as various Unix Like series file systems and Windows series file systems.

容器轉錄介面300可存取容器檔案系統22中的檔案,藉 以根據容器檔案系統22和運行參數運行,從而產生輸出參數。具體來說,容器轉錄管理介面200可使用Docker inspect技術將容器檔案系統22中的檔案共享給容器轉錄介面300,藉以觸發容器轉錄介面300運行。容器轉錄介面300可根據運行參數及其對應的檔案運行轉錄容器,以由轉錄容器產生輸出參數,其中輸出參數可包含容器狀態資訊、中央處理單元使用率資訊或記憶體使用率資訊等資訊。容器轉錄介面300可將輸出參數傳送給容器運行分析介面400。 The container transcription interface 300 can access files in the container file system 22 by to run according to the container file system 22 and run parameters, thereby generating output parameters. Specifically, the container transcription management interface 200 can use the Docker inspect technology to share files in the container file system 22 to the container transcription interface 300, thereby triggering the container transcription interface 300 to run. The container transcription interface 300 can run the transcription container according to the operating parameters and the corresponding files to generate output parameters from the transcription container, where the output parameters can include information such as container status information, central processing unit usage information, or memory usage information. The container transcription interface 300 may transmit the output parameters to the container run analysis interface 400.

舉例來說,容器轉錄介面300可存取容器檔案系統22可存取容器檔案系統22中的檔案「text.html」,並指示轉錄容器執行檔案「text.html」以產生輸出參數。在檔案「text.html」執行完後,容器轉錄管理介面200可對容器轉錄介面300進行重置作業,釋放容器轉錄介面300所使用的資源(例如:中央處理單元資源或記憶體資源)。容器轉錄管理介面200可取得容器轉錄介面300產生的輸出參數,並將容器的輸出參數和運行參數傳送給容器運行分析介面400。 For example, the container transcription interface 300 may access the container file system 22 and may access the file "text.html" in the container file system 22 and instruct the transcription container execution file "text.html" to generate output parameters. After the file "text.html" is executed, the container transcription management interface 200 can reset the container transcription interface 300 to release the resources used by the container transcription interface 300 (for example, central processing unit resources or memory resources). The container transcription management interface 200 can obtain the output parameters generated by the container transcription interface 300, and transmit the output parameters and operating parameters of the container to the container operation analysis interface 400.

圖5根據本發明的一實施例繪示容器運行分析介面400的詳細示意圖。容器運行分析介面400可包含容器狀態分析介面410以及容器資訊合成介面420。在取得來自容器轉錄介面300的輸出參數後,容器運行分析介面400的容器狀態分析介面410可根據輸出參數判斷是否發生異常事件。若容器狀態分析介面410 判斷發生異常事件,則容器狀態分析介面410可判斷原始的容器或容器檔案系統22包含惡意檔案包含惡意檔案。據此,容器狀態分析介面410可通過收發器13輸出指令以禁止容器運行。另一方面,若容器狀態分析介面410判斷未發生異常事件,則容器狀態分析介面410可判斷原始的容器或容器檔案系統22不包含惡意檔案。據此,容器狀態分析介面410可通過收發器13輸出指令以指示容器運行。 FIG. 5 shows a detailed schematic diagram of the container operation analysis interface 400 according to an embodiment of the present invention. The container operation analysis interface 400 may include a container status analysis interface 410 and a container information synthesis interface 420. After obtaining the output parameters from the container transcription interface 300, the container status analysis interface 410 of the container operation analysis interface 400 can determine whether an abnormal event occurs based on the output parameters. If the container status analysis interface 410 If it is determined that an abnormal event occurs, the container status analysis interface 410 may determine that the original container or the container file system 22 contains a malicious file. Accordingly, the container status analysis interface 410 can output an instruction through the transceiver 13 to disable the container from running. On the other hand, if the container status analysis interface 410 determines that no abnormal event occurs, the container status analysis interface 410 may determine that the original container or the container file system 22 does not contain malicious files. Accordingly, the container status analysis interface 410 can output instructions through the transceiver 13 to instruct the container to run.

在一實施例中,輸出參數的中央處理單元使用率資訊可包含當前中央處理單元使用率。容器狀態分析介面410可根據輸出參數的容器狀態資訊判斷容器轉錄介面300(或轉錄容器)是否停止運行。若容器狀態分析介面410判斷容器轉錄介面300停止運行且當前中央處理單元使用率不為零,代表轉錄容器的運行包含可疑的運算資源使用情形。據此,容器狀態分析介面410可判斷發生異常事件。 In one embodiment, the CPU usage information of the output parameter may include the current CPU usage. The container status analysis interface 410 can determine whether the container transcription interface 300 (or the transcription container) stops running based on the container status information of the output parameters. If the container status analysis interface 410 determines that the container transcription interface 300 has stopped running and the current CPU usage is not zero, it means that the operation of the transcription container includes suspicious computing resource usage. Accordingly, the container status analysis interface 410 can determine that an abnormal event occurs.

在一實施例中,輸出參數的記憶體使用率資訊可包含當前記憶體使用率。容器狀態分析介面410可根據輸出參數的容器狀態資訊判斷容器轉錄介面300(或轉錄容器)是否停止運行。若容器狀態分析介面410判斷容器轉錄介面300停止運行且當前記憶體使用率不為零,代表轉錄容器的運行包含可疑的記憶體資源使用情形。據此,容器狀態分析介面410可判斷發生異常事件。 In one embodiment, the memory usage information of the output parameter may include the current memory usage. The container status analysis interface 410 can determine whether the container transcription interface 300 (or the transcription container) stops running based on the container status information of the output parameters. If the container status analysis interface 410 determines that the container transcription interface 300 has stopped running and the current memory usage is not zero, it means that the operation of the transcription container includes suspicious memory resource usage. Accordingly, the container status analysis interface 410 can determine that an abnormal event occurs.

在一實施例中,輸出參數的中央處理單元使用率資訊可包含多筆中央處理單元使用率。容器狀態分析介面410可判斷多 筆中央處理單元使用率中的任一者是否超出中央處理單元的使用率限制。若多筆中央處理單元使用率中的任一者超出使用率限制,容器狀態分析介面410可判斷發生異常事件。 In one embodiment, the CPU usage information of the output parameter may include multiple CPU usages. The container status analysis interface 410 can determine multiple Whether any of the pen central processing unit usage exceeds the central processing unit usage limit. If any one of the multiple central processing unit usages exceeds the usage limit, the container status analysis interface 410 may determine that an abnormal event occurs.

在一實施例中,輸出參數的記憶體使用率資訊可包含多筆記憶體使用率。容器狀態分析介面410可判斷多筆記憶體使用率中的任一者是否超出記憶體的使用率限制。若多筆記憶體使用率中的任一者超出使用率限制,容器狀態分析介面410可判斷發生異常事件。 In one embodiment, the memory usage information of the output parameter may include multiple memory usages. The container status analysis interface 410 can determine whether any of the multiple memory usages exceeds the memory usage limit. If any one of the multiple memory usages exceeds the usage limit, the container status analysis interface 410 may determine that an abnormal event occurs.

在一實施例中,在容器狀態分析介面410判斷未發生異常事件並指示容器運行後,容器資訊合成介面420可存取容器檔案系統22以取得用以運行容器的檔案,自容器運行介面21取得運行參數,或自容器轉錄介面300取得輸出參數。容器資訊合成介面420可比對檔案的標頭、運行參數或輸出參數等資訊是否與儲存在容器檔案特徵資料庫500中的檔案特徵匹配。若上述的資訊與檔案特徵匹配,則容器資訊合成介面420可通過收發器13輸出指令以指示容器運行。若上述的資訊與檔案特徵不匹配,則容器資訊合成介面420可通過收發器13輸出指令以禁止容器運行。 In one embodiment, after the container status analysis interface 410 determines that no abnormal event has occurred and instructs the container to run, the container information synthesis interface 420 can access the container file system 22 to obtain files used to run the container, obtained from the container execution interface 21 Run parameters, or obtain output parameters from the container transcription interface 300. The container information synthesis interface 420 can compare whether information such as the header, operating parameters or output parameters of the file matches the file characteristics stored in the container file characteristic database 500 . If the above information matches the file characteristics, the container information synthesis interface 420 can output instructions through the transceiver 13 to instruct the container to run. If the above information does not match the file characteristics, the container information synthesis interface 420 can output an instruction through the transceiver 13 to prohibit the container from running.

圖6根據本發明的一實施例繪示一種容器之惡意檔案的驗證方法的流程圖,其中所述驗證方法可由如圖1所示的驗證系統10實施。在步驟S610中,自容器的容器運行介面取得運行參數,並且複製容器運行介面以產生容器轉錄介面。在步驟S620中,由容器轉錄介面存取容器的容器檔案系統以根據容器檔案系統和 運行參數運行,從而產生輸出參數。在步驟S630中,根據輸出參數判斷是否發生異常事件,並且響應於判斷發生異常事件而判斷容器包含惡意檔案並禁止容器運行。 FIG. 6 illustrates a flow chart of a method for verifying malicious files in a container according to an embodiment of the present invention, wherein the verification method can be implemented by the verification system 10 shown in FIG. 1 . In step S610, running parameters are obtained from the container running interface, and the container running interface is copied to generate a container transcription interface. In step S620, the container transcription interface accesses the container file system of the container to obtain the container file system according to the container file system and Run parameters are run, resulting in output parameters. In step S630, it is determined whether an abnormal event occurs according to the output parameters, and in response to determining that the abnormal event occurs, it is determined that the container contains a malicious file and the container is prohibited from running.

綜上所述,本發明的容器之惡意檔案的驗證系統和驗證方法具有以下的特點及功效:本發明的驗證系統可被部署於企業內用戶端或伺服器,用以為企業預先判斷容器檔案系統內之檔案是否安全無慮,確保欲保護之容器系統運行的可靠性;本發明的容器檔案分析介面可進行容器檔案系統內檔案類型之識別,藉以判斷該檔案為何種應用程式開啟以及需執行於何種容器系統以及作業系統上,協助進行容器轉錄作業;本發明的容器轉錄管理介面可管理使用者欲執行檔案之容器。容器轉錄管理介面可依照檔案執行之容器環境,自動化轉錄對應之容器。此外,容器轉錄管理介面也將容器資訊及檔案傳送其他介面並確保轉錄完成之容器執行過程不影響原始容器;本發明的容器轉錄介面可為Docker以及Podman等容器系統,以支援多種檔案系統內檔案,諸如:各種Unix Like系列之檔案系統及Windows系列之檔案系統;本發明的容器運行分析介面可分析原始容器以及轉錄容器之執行狀態,整合各類資訊並配合容器檔案特徵資料庫以判定轉錄容器是否發生異常。 To sum up, the verification system and verification method of malicious files in containers of the present invention have the following characteristics and effects: the verification system of the present invention can be deployed on the client or server in the enterprise to pre-judge the container file system for the enterprise. Whether the files inside are safe and secure ensures the reliability of the operation of the container system to be protected; the container file analysis interface of the present invention can identify the file type in the container file system, so as to determine what kind of application the file is opened and where it needs to be executed. On various container systems and operating systems, it assists in container transcription operations; the container transcription management interface of the present invention can manage the containers of files that the user wants to execute. The container transcription management interface can automatically transcribe the corresponding container according to the container environment in which the file is executed. In addition, the container transcription management interface also transmits container information and files to other interfaces and ensures that the transcribed container execution process does not affect the original container; the container transcription interface of the present invention can be a container system such as Docker and Podman to support files in a variety of file systems , such as: various Unix Like series file systems and Windows series file systems; the container operation analysis interface of the present invention can analyze the execution status of the original container and the transcribed container, integrate various types of information and cooperate with the container file feature database to determine the transcribed container Whether an exception occurs.

S610、S620、S630:步驟 S610, S620, S630: steps

Claims (10)

一種軟體容器之惡意檔案的驗證系統,包括:收發器;儲存媒體,儲存多個模組;以及處理器,耦接所述儲存媒體和所述收發器,並且存取和執行所述多個模組,其中所述多個模組包括:容器轉錄管理介面,自軟體容器的容器運行介面取得運行參數,並且複製所述容器運行介面以產生容器轉錄介面;所述容器轉錄介面,存取所述軟體容器的容器檔案系統以根據所述容器檔案系統和所述運行參數運行,從而產生輸出參數;以及容器運行分析介面,根據所述輸出參數判斷是否發生異常事件,響應於判斷發生所述異常事件而判斷所述軟體容器包括所述惡意檔案並禁止所述軟體容器運行,並且響應於判斷未發生所述異常事件而指示所述軟體容器啟動以開始運行。 A verification system for malicious files in software containers, including: a transceiver; a storage medium that stores a plurality of modules; and a processor that couples the storage medium and the transceiver, and accesses and executes the plurality of modules. A group, wherein the plurality of modules include: a container transcription management interface, which obtains operating parameters from a container runtime interface of a software container, and copies the container runtime interface to generate a container transcription interface; the container transcription interface, accesses the The container file system of the software container is operated according to the container file system and the operation parameters, thereby generating output parameters; and a container operation analysis interface is used to determine whether an abnormal event occurs according to the output parameters, and in response to determining that the abnormal event occurs And it is determined that the software container includes the malicious file and the operation of the software container is prohibited, and in response to determining that the abnormal event does not occur, instructing the software container to start to start running. 如請求項1所述的驗證系統,其中所述多個模組更包括:容器檔案特徵資料庫,儲存對應於所述容器檔案系統中的檔案的檔案特徵;以及容器檔案分析介面,讀取所述檔案的標頭以判斷所述標頭與所述檔案特徵是否匹配,並且響應於判斷所述標頭與所述檔案特 徵匹配而指示所述容器轉錄管理介面產生所述容器轉錄介面。 The verification system of claim 1, wherein the plurality of modules further includes: a container file feature database that stores file features corresponding to files in the container file system; and a container file analysis interface that reads all the header of the file to determine whether the header matches the file characteristics, and in response to determining whether the header matches the file characteristics Character matching instructs the container transcription management interface to generate the container transcription interface. 如請求項2所述的驗證系統,其中所述容器檔案分析介面自所述容器轉錄管理介面取得所述運行參數,其中所述容器檔案分析介面判斷所述運行參數與所述檔案特徵是否匹配,並且響應於判斷所述運行參數與所述檔案特徵匹配而指示所述容器轉錄管理介面產生所述容器轉錄介面。 The verification system of claim 2, wherein the container file analysis interface obtains the operating parameters from the container transcription management interface, and the container file analysis interface determines whether the operating parameters match the file characteristics, and in response to determining that the operating parameters match the file characteristics, instructing the container transcription management interface to generate the container transcription interface. 如請求項1所述的驗證系統,其中所述輸出參數包括容器狀態資訊、中央處理單元使用率資訊以及記憶體使用率資訊。 The verification system of claim 1, wherein the output parameters include container status information, central processing unit usage information, and memory usage information. 如請求項4所述的驗證系統,其中所述中央處理單元使用率資訊包括當前中央處理單元使用率,其中所述容器運行分析介面根據所述容器狀態資訊判斷所述容器轉錄介面是否停止運行,並且響應於判斷所述容器轉錄介面停止運行並且所述當前中央處理單元使用率不為零而判斷發生所述異常事件。 The verification system of claim 4, wherein the central processing unit usage information includes the current central processing unit usage, and the container operation analysis interface determines whether the container transcription interface stops running based on the container status information, And in response to determining that the container transcription interface stops running and that the current central processing unit usage is not zero, it is determined that the abnormal event occurs. 如請求項4所述的驗證系統,其中所述記憶體使用率資訊包括當前記憶體使用率,其中所述容器運行分析介面根據所述容器狀態資訊判斷所述容器轉錄介面是否停止運行,並且響應於判斷所述容器轉錄介面停止運行並且所述當前記憶體使用率不為零而判斷發生所述異常事件。 The verification system of claim 4, wherein the memory usage information includes current memory usage, and the container operation analysis interface determines whether the container transcription interface stops running based on the container status information, and responds The abnormal event occurs when it is determined that the container transcription interface stops running and the current memory usage is not zero. 如請求項4所述的驗證系統,其中所述中央處理單元使用率資訊包括多筆中央處理單元使用率,其中所述容器運行分析介面響應於所述多筆中央處理單元使用率的其中之一超出使用率限制而判斷發生所述異常事件。 The verification system of claim 4, wherein the central processing unit usage information includes a plurality of central processing unit usages, and the container running analysis interface responds to one of the plurality of central processing unit usages. The abnormal event is judged to have occurred when the usage limit is exceeded. 如請求項4所述的驗證系統,其中所述記憶體使用率資訊包括多筆記憶體使用率,其中所述容器運行分析介面響應於所述多筆記憶體使用率的其中之一超出使用率限制而判斷發生所述異常事件。 The verification system of claim 4, wherein the memory usage information includes a plurality of memory usages, and the container running analysis interface responds to one of the plurality of memory usages exceeding the usage rate. Limit and determine that the abnormal event occurs. 如請求項1所述的驗證系統,其中所述運行參數包括下列的至少其中之一:容器識別碼、容器指令、容器狀態、中央處理單元使用率以及記憶體使用率。 The verification system of claim 1, wherein the operating parameters include at least one of the following: container identification code, container instruction, container status, central processing unit usage, and memory usage. 一種軟體容器之惡意檔案的驗證方法,適用於驗證系統,包括:由所述驗證系統自軟體容器的容器運行介面取得運行參數,並且複製所述容器運行介面以產生容器轉錄介面;由所述驗證系統由所述容器轉錄介面存取所述軟體容器的容器檔案系統以根據所述容器檔案系統和所述運行參數運行,從而產生輸出參數;以及由所述驗證系統根據所述輸出參數判斷是否發生異常事件,響應於判斷發生所述異常事件而判斷所述軟體容器包括所述惡意檔案並禁止所述軟體容器運行,並且響應於判斷未發生所述異常事件而指示所述軟體容器啟動以開始運行。 A method for verifying malicious files of software containers, suitable for verification systems, including: the verification system obtains operating parameters from the container running interface of the software container, and copies the container running interface to generate a container transcription interface; from the verification system The system accesses the container file system of the software container through the container transcription interface to run according to the container file system and the operating parameters, thereby generating output parameters; and the verification system determines whether an occurrence occurs based on the output parameters. An abnormal event, in response to determining that the abnormal event occurs, determining that the software container includes the malicious file and prohibiting the software container from running, and in response to determining that the abnormal event does not occur, instructing the software container to start to start running. .
TW111131111A 2022-08-18 2022-08-18 Verification system and verification method for malicious file of container TWI827203B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
TW111131111A TWI827203B (en) 2022-08-18 2022-08-18 Verification system and verification method for malicious file of container

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
TW111131111A TWI827203B (en) 2022-08-18 2022-08-18 Verification system and verification method for malicious file of container

Publications (2)

Publication Number Publication Date
TWI827203B true TWI827203B (en) 2023-12-21
TW202409872A TW202409872A (en) 2024-03-01

Family

ID=90053386

Family Applications (1)

Application Number Title Priority Date Filing Date
TW111131111A TWI827203B (en) 2022-08-18 2022-08-18 Verification system and verification method for malicious file of container

Country Status (1)

Country Link
TW (1) TWI827203B (en)

Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101401341A (en) * 2005-11-18 2009-04-01 安全第一公司 Secure data parser method and system
TW201722109A (en) * 2015-12-01 2017-06-16 廣達電腦股份有限公司 Management systems for managing resources of servers and management methods thereof
TWI644228B (en) * 2017-12-25 2018-12-11 中華電信股份有限公司 Server and monitoring method thereof
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
TWI656453B (en) * 2016-11-22 2019-04-11 財團法人資訊工業策進會 Detection system and detection method
CN112905421A (en) * 2021-03-18 2021-06-04 中科九度(北京)空间信息技术有限责任公司 Container abnormal behavior detection method of LSTM network based on attention mechanism
TW202127285A (en) * 2020-01-02 2021-07-16 財團法人資訊工業策進會 Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test
CN113139176A (en) * 2020-01-20 2021-07-20 华为技术有限公司 Malicious file detection method, device, equipment and storage medium
CN113282928A (en) * 2021-06-11 2021-08-20 杭州安恒信息技术股份有限公司 Malicious file processing method, device and system, electronic device and storage medium

Patent Citations (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101401341A (en) * 2005-11-18 2009-04-01 安全第一公司 Secure data parser method and system
TW201722109A (en) * 2015-12-01 2017-06-16 廣達電腦股份有限公司 Management systems for managing resources of servers and management methods thereof
TWI656453B (en) * 2016-11-22 2019-04-11 財團法人資訊工業策進會 Detection system and detection method
CN109391602A (en) * 2017-08-11 2019-02-26 北京金睛云华科技有限公司 A kind of zombie host detection method
TWI644228B (en) * 2017-12-25 2018-12-11 中華電信股份有限公司 Server and monitoring method thereof
TW202127285A (en) * 2020-01-02 2021-07-16 財團法人資訊工業策進會 Device, method and non-transitory tangible machine-readable medium for testing a cyber defense mechanism of a device under test
CN113139176A (en) * 2020-01-20 2021-07-20 华为技术有限公司 Malicious file detection method, device, equipment and storage medium
CN112905421A (en) * 2021-03-18 2021-06-04 中科九度(北京)空间信息技术有限责任公司 Container abnormal behavior detection method of LSTM network based on attention mechanism
CN113282928A (en) * 2021-06-11 2021-08-20 杭州安恒信息技术股份有限公司 Malicious file processing method, device and system, electronic device and storage medium

Similar Documents

Publication Publication Date Title
US20200382302A1 (en) Security privilege escalation exploit detection and mitigation
US11068591B2 (en) Cybersecurity systems and techniques
RU2589862C1 (en) Method of detecting malicious code in random-access memory
RU2571723C2 (en) System and method of reducing load on operating system when executing antivirus application
RU2659737C1 (en) System and method of managing computing resources for detecting malicious files
US7945787B2 (en) Method and system for detecting malware using a remote server
KR101467595B1 (en) File conversion in restricted process
JP6282305B2 (en) System and method for safe execution of code in hypervisor mode
US8225394B2 (en) Method and system for detecting malware using a secure operating system mode
US9053321B2 (en) Antivirus system and method for removable media devices
US9183386B2 (en) Windows registry modification verification
JP2018041438A (en) System and method for detecting malicious codes in file
US20140331037A1 (en) Secure boot override in a computing device equipped with unified-extensible firmware interface (uefi)-compliant firmware
US9208315B2 (en) Identification of telemetry data
RU2531565C2 (en) System and method for analysing file launch events for determining safety ranking thereof
US20190325134A1 (en) Neural network detection of malicious activity
US11275835B2 (en) Method of speeding up a full antivirus scan of files on a mobile device
US10162963B2 (en) Malware detection and identification using deviations in one or more operating parameters
US20180341770A1 (en) Anomaly detection method and anomaly detection apparatus
US11397812B2 (en) System and method for categorization of .NET applications
TWI827203B (en) Verification system and verification method for malicious file of container
US10275596B1 (en) Activating malicious actions within electronic documents
EP2881883B1 (en) System and method for reducing load on an operating system when executing antivirus operations
WO2016095671A1 (en) Method and device for processing application-based message
TW202409872A (en) Verification system and verification method for malicious file of container