《電子技術(shù)應(yīng)用》
您所在的位置:首頁(yè) > 其他 > 設(shè)計(jì)應(yīng)用 > 基于OpenStack云平臺(tái)的Docker容器安全監(jiān)測(cè)方法研究
基于OpenStack云平臺(tái)的Docker容器安全監(jiān)測(cè)方法研究
信息技術(shù)與網(wǎng)絡(luò)安全 4期
崔 軻,燕 瑋,劉子健,張慕榕,賈星威,許鳳凱
(華北計(jì)算機(jī)系統(tǒng)工程研究所,北京100083)
摘要: 隨著虛擬化技術(shù)和容器技術(shù)的興起,容器安全問題引起了社會(huì)和企業(yè)的廣泛重視。針對(duì)傳統(tǒng)的監(jiān)控方式對(duì)Docker容器信息監(jiān)控不全面、易產(chǎn)生監(jiān)控黑洞等問題,提出一種針對(duì)OpenStack云平臺(tái)下的Docker容器安全監(jiān)測(cè)方法,該方法針對(duì)性強(qiáng),資源占用率小,除了實(shí)現(xiàn)傳統(tǒng)監(jiān)測(cè)功能外,通過采用Logistic-ARMA預(yù)警模型和BERT序列標(biāo)注,還可以實(shí)現(xiàn)對(duì)DoS攻擊、容器逃逸等惡意攻擊的有效監(jiān)測(cè),且根據(jù)容器規(guī)模不同可實(shí)現(xiàn)自定義的預(yù)警功能。經(jīng)過實(shí)驗(yàn)驗(yàn)證,該方法在大規(guī)模容器網(wǎng)絡(luò)中威脅預(yù)測(cè)準(zhǔn)確率可達(dá)85%以上。
中圖分類號(hào): TP391
文獻(xiàn)標(biāo)識(shí)碼: A
DOI: 10.19358/j.issn.2096-5133.2022.04.010
引用格式: 崔軻,燕瑋,劉子健,等. 基于OpenStack云平臺(tái)的Docker容器安全監(jiān)測(cè)方法研究[J].信息技術(shù)與網(wǎng)絡(luò)安全,2022,41(4):65-70.
Research on security monitoring method of Docker container engine based on OpenStack cloud platform
Cui Ke,Yan Wei,Liu Zijian,Zhang Murong,Jia Xingwei,Xu Fengkai
(National Computer System Engineering Research Institute of China,Beijing 100083,China)
Abstract: With the rise of virtualization technology and container technology, container security has attracted extensive attention of society and enterprises. In view of the problems that the traditional monitoring method does not fully monitor the Docker container information and is easy to produce monitoring black holes, this paper proposes a Docker container security monitoring method under the OpenStack cloud platform. This method has strong pertinence and low resource occupancy. In addition to realizing the traditional monitoring function, this methocl can effectively monitor the malicious attacks such as DoS attack and container escape by using the Logistic-ARMA warning model and BERT sequence annotation,and realize the customized early warning functions according to different container sizes. Experimental results show that the accuracy of threat prediction in large-scale container networks can reach more than 85%.
Key words : Docker container;Logistic-ARMA;Bert sequence annotation;large scale container network

0 引言

隨著虛擬化技術(shù)的興起,Docker容器技術(shù)憑借自身資源占用低、不易受環(huán)境因素影響等特點(diǎn)被各大企業(yè)廣泛使用。例如京東、天貓等電商企業(yè)在大型銷售活動(dòng)中均采用Docker作為關(guān)鍵業(yè)務(wù)的支撐,招行、浦發(fā)和法國(guó)興業(yè)等國(guó)內(nèi)外銀行通過Docker搭建容器及服務(wù)的金融云架構(gòu)平臺(tái),為千萬(wàn)級(jí)用戶提供個(gè)人理財(cái)、快速交付等服務(wù)。但是,在容器技術(shù)被各大企業(yè)廣泛使用的同時(shí),容器逃逸、資源非法占用、容器DoS攻擊等安全問題也愈演愈烈,容器本身及其運(yùn)行環(huán)境的安全問題亟待解決。目前針對(duì)容器安全監(jiān)測(cè)的方法很多,例如Zabbix、Scout插件等,但是,Zabbix脫離集中數(shù)據(jù)存儲(chǔ)且復(fù)雜度較高,Scout監(jiān)控起來(lái)要收取大量的費(fèi)用,并且存在監(jiān)控不全面,易產(chǎn)生監(jiān)控黑洞等問題,因此,針對(duì)容器安全監(jiān)測(cè)問題,本文提出了一種新型的安全監(jiān)測(cè)方法,該方法可對(duì)容器的整個(gè)生命周期進(jìn)行監(jiān)控,并且對(duì)容器遭受逃逸和DoS攻擊等可以進(jìn)行有效監(jiān)測(cè)[1]。





本文詳細(xì)內(nèi)容請(qǐng)下載http://forexkbc.com/resource/share/2000004101




作者信息:

崔  軻,燕  瑋,劉子健,張慕榕,賈星威,許鳳凱

(華北計(jì)算機(jī)系統(tǒng)工程研究所,北京100083)




微信圖片_20210517164139.jpg

此內(nèi)容為AET網(wǎng)站原創(chuàng),未經(jīng)授權(quán)禁止轉(zhuǎn)載。