基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究
信息技術與網(wǎng)絡安全 4期
崔 軻,,燕 瑋,,劉子健,,張慕榕,,賈星威,,許鳳凱
(華北計算機系統(tǒng)工程研究所,,北京100083)
摘要: 隨著虛擬化技術和容器技術的興起,,容器安全問題引起了社會和企業(yè)的廣泛重視,。針對傳統(tǒng)的監(jiān)控方式對Docker容器信息監(jiān)控不全面,、易產生監(jiān)控黑洞等問題,,提出一種針對OpenStack云平臺下的Docker容器安全監(jiān)測方法,該方法針對性強,,資源占用率小,,除了實現(xiàn)傳統(tǒng)監(jiān)測功能外,通過采用Logistic-ARMA預警模型和BERT序列標注,,還可以實現(xiàn)對DoS攻擊,、容器逃逸等惡意攻擊的有效監(jiān)測,且根據(jù)容器規(guī)模不同可實現(xiàn)自定義的預警功能,。經(jīng)過實驗驗證,,該方法在大規(guī)模容器網(wǎng)絡中威脅預測準確率可達85%以上。
中圖分類號: TP391
文獻標識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.010
引用格式: 崔軻,,燕瑋,,劉子健,,等. 基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究[J].信息技術與網(wǎng)絡安全,2022,,41(4):65-70.
文獻標識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.010
引用格式: 崔軻,,燕瑋,,劉子健,,等. 基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究[J].信息技術與網(wǎng)絡安全,2022,,41(4):65-70.
Research on security monitoring method of Docker container engine based on OpenStack cloud platform
Cui Ke,,Yan Wei,Liu Zijian,,Zhang Murong,,Jia Xingwei,Xu Fengkai
(National Computer System Engineering Research Institute of China,,Beijing 100083,,China)
Abstract: With the rise of virtualization technology and container technology, container security has attracted extensive attention of society and enterprises. In view of the problems that the traditional monitoring method does not fully monitor the Docker container information and is easy to produce monitoring black holes, this paper proposes a Docker container security monitoring method under the OpenStack cloud platform. This method has strong pertinence and low resource occupancy. In addition to realizing the traditional monitoring function, this methocl can effectively monitor the malicious attacks such as DoS attack and container escape by using the Logistic-ARMA warning model and BERT sequence annotation,and realize the customized early warning functions according to different container sizes. Experimental results show that the accuracy of threat prediction in large-scale container networks can reach more than 85%.
Key words : Docker container,;Logistic-ARMA,;Bert sequence annotation;large scale container network
0 引言
隨著虛擬化技術的興起,,Docker容器技術憑借自身資源占用低,、不易受環(huán)境因素影響等特點被各大企業(yè)廣泛使用。例如京東,、天貓等電商企業(yè)在大型銷售活動中均采用Docker作為關鍵業(yè)務的支撐,,招行、浦發(fā)和法國興業(yè)等國內外銀行通過Docker搭建容器及服務的金融云架構平臺,,為千萬級用戶提供個人理財,、快速交付等服務。但是,,在容器技術被各大企業(yè)廣泛使用的同時,,容器逃逸、資源非法占用,、容器DoS攻擊等安全問題也愈演愈烈,,容器本身及其運行環(huán)境的安全問題亟待解決。目前針對容器安全監(jiān)測的方法很多,,例如Zabbix,、Scout插件等,但是,,Zabbix脫離集中數(shù)據(jù)存儲且復雜度較高,,Scout監(jiān)控起來要收取大量的費用,并且存在監(jiān)控不全面,,易產生監(jiān)控黑洞等問題,,因此,針對容器安全監(jiān)測問題,,本文提出了一種新型的安全監(jiān)測方法,,該方法可對容器的整個生命周期進行監(jiān)控,,并且對容器遭受逃逸和DoS攻擊等可以進行有效監(jiān)測[1]。
本文詳細內容請下載:http://forexkbc.com/resource/share/2000004101
作者信息:
崔 軻,,燕 瑋,,劉子健,張慕榕,,賈星威,,許鳳凱
(華北計算機系統(tǒng)工程研究所,北京100083)
此內容為AET網(wǎng)站原創(chuàng),,未經(jīng)授權禁止轉載,。