基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究
信息技術(shù)與網(wǎng)絡(luò)安全 4期
崔 軻,,燕 瑋,劉子健,,張慕榕,,賈星威,,許鳳凱
(華北計(jì)算機(jī)系統(tǒng)工程研究所,,北京100083)
摘要: 隨著虛擬化技術(shù)和容器技術(shù)的興起,容器安全問題引起了社會和企業(yè)的廣泛重視,。針對傳統(tǒng)的監(jiān)控方式對Docker容器信息監(jiān)控不全面,、易產(chǎn)生監(jiān)控黑洞等問題,提出一種針對OpenStack云平臺下的Docker容器安全監(jiān)測方法,,該方法針對性強(qiáng),,資源占用率小,除了實(shí)現(xiàn)傳統(tǒng)監(jiān)測功能外,,通過采用Logistic-ARMA預(yù)警模型和BERT序列標(biāo)注,,還可以實(shí)現(xiàn)對DoS攻擊、容器逃逸等惡意攻擊的有效監(jiān)測,,且根據(jù)容器規(guī)模不同可實(shí)現(xiàn)自定義的預(yù)警功能。經(jīng)過實(shí)驗(yàn)驗(yàn)證,,該方法在大規(guī)模容器網(wǎng)絡(luò)中威脅預(yù)測準(zhǔn)確率可達(dá)85%以上,。
中圖分類號: TP391
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.010
引用格式: 崔軻,燕瑋,,劉子健,,等. 基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,,41(4):65-70.
文獻(xiàn)標(biāo)識碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.010
引用格式: 崔軻,燕瑋,,劉子健,,等. 基于OpenStack云平臺的Docker容器安全監(jiān)測方法研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,,41(4):65-70.
Research on security monitoring method of Docker container engine based on OpenStack cloud platform
Cui Ke,,Yan Wei,Liu Zijian,,Zhang Murong,,Jia Xingwei,Xu Fengkai
(National Computer System Engineering Research Institute of China,,Beijing 100083,,China)
Abstract: With the rise of virtualization technology and container technology, container security has attracted extensive attention of society and enterprises. In view of the problems that the traditional monitoring method does not fully monitor the Docker container information and is easy to produce monitoring black holes, this paper proposes a Docker container security monitoring method under the OpenStack cloud platform. This method has strong pertinence and low resource occupancy. In addition to realizing the traditional monitoring function, this methocl can effectively monitor the malicious attacks such as DoS attack and container escape by using the Logistic-ARMA warning model and BERT sequence annotation,and realize the customized early warning functions according to different container sizes. Experimental results show that the accuracy of threat prediction in large-scale container networks can reach more than 85%.
Key words : Docker container,;Logistic-ARMA,;Bert sequence annotation;large scale container network
0 引言
隨著虛擬化技術(shù)的興起,,Docker容器技術(shù)憑借自身資源占用低,、不易受環(huán)境因素影響等特點(diǎn)被各大企業(yè)廣泛使用。例如京東,、天貓等電商企業(yè)在大型銷售活動中均采用Docker作為關(guān)鍵業(yè)務(wù)的支撐,,招行、浦發(fā)和法國興業(yè)等國內(nèi)外銀行通過Docker搭建容器及服務(wù)的金融云架構(gòu)平臺,,為千萬級用戶提供個(gè)人理財(cái),、快速交付等服務(wù),。但是,在容器技術(shù)被各大企業(yè)廣泛使用的同時(shí),,容器逃逸,、資源非法占用、容器DoS攻擊等安全問題也愈演愈烈,,容器本身及其運(yùn)行環(huán)境的安全問題亟待解決,。目前針對容器安全監(jiān)測的方法很多,例如Zabbix,、Scout插件等,,但是,Zabbix脫離集中數(shù)據(jù)存儲且復(fù)雜度較高,,Scout監(jiān)控起來要收取大量的費(fèi)用,,并且存在監(jiān)控不全面,易產(chǎn)生監(jiān)控黑洞等問題,,因此,,針對容器安全監(jiān)測問題,本文提出了一種新型的安全監(jiān)測方法,,該方法可對容器的整個(gè)生命周期進(jìn)行監(jiān)控,,并且對容器遭受逃逸和DoS攻擊等可以進(jìn)行有效監(jiān)測[1]。
本文詳細(xì)內(nèi)容請下載:http://forexkbc.com/resource/share/2000004101
作者信息:
崔 軻,,燕 瑋,,劉子健,張慕榕,,賈星威,,許鳳凱
(華北計(jì)算機(jī)系統(tǒng)工程研究所,北京100083)
此內(nèi)容為AET網(wǎng)站原創(chuàng),,未經(jīng)授權(quán)禁止轉(zhuǎn)載,。