Research On Container Anomaly Detection And Access Control In Cloud Environment

With the rapid development of container technology,cloud computing based on container is widely used,and the security issue of container in cloud environment is widely concerned by the industry.In the cloud environment,new features such as application containerization,elastic self-service,and microservice-oriented architecture make the container operating environment face more security risks.These security risks will cause the isolation mechanism implemented by the cloud platform to fail to provide the expected security features.Therefore,it is of great significance to analyze the behavior of the container under the cloud platform to detect the anomalies caused by various security risks and to control the access of the container behavior for maintaining the security of the cloud platform.In the research of container anomaly detection,traditional detection methods detect container anomaly by monitoring container behavior and setting threshold.However,due to the flexibility and flexibility of application in cloud scene,the detection rate of container behavior anomaly detection system is low and the false alarm rate is high.In the research of container access control,the access control methods in the traditional host domain cannot be directly migrated to the container environment.At present,access control in container environment is realized by the functional features provided by the operating system kernel,which can not guarantee the flexibility and portability of access control in container environment.In view of the above background and existing problems,the main research contents of this article are as follows:(1)A scheme for detecting abnormal behavior of containers based on system calls and autoencoders is proposed.Aiming at the problem of low detection rate in the existing container anomaly detection methods based on threshold,and the detection range is limited due to the anomaly detection based on container performance data,a container anomaly detection scheme based on system call and automatic encoder is proposed.Firstly,according to the implementation principle of the container,the system calls of all processes in the container environment are collected dynamically through the agent-free way,and the method based on frequency characteristics is used to integrate the system calls and directory access frequency of all processes in the container environment as the container behavior representation.Then this thesis proposes an anomaly detection model based on auto-encoder and single-class support vector machine.The model uses auto-encoder to learn hidden features in container behavior in an unsupervised way,making it have an easy-to-fit hyperplane in high-dimensional space.Then,a single-class support vector machine is used to construct anomaly decetion model based on the hidden layer representation of the autoencoder to dection the abnormal behavior of the container.Finally,an application in the cloud scenario is constructed to experiment and verify the detection scheme proposed in this thesis.(2)A scheme for container access control based on kprobes and kernel functions is proprosed.Aiming at the problem that the access control technology in the host environment can not be directly migrated to the container environment,and the access control in the container environment is realized through the functional features provided by the operating system kernel,which leads to poor flexibility and portability,a container access control scheme based on kprobes and kernel functions is proposed.Firstly,the system calls are classified according to their functions,the relationship between system calls and kernel functions is analyzed in detail,and the implementation of kernel functions corresponding to open system calls is analyzed.Then,a container behavior monitoring method based on kernel function is proposed,which indirectly monitors the container behavior by dynamically tracing kernel function calls.In order to effectively control the abnormal behavior of the container,an access control algorithm based on modifying function context is proposed to make the inner kernel function call fail,and then realize the access control of the container.Finally,this thesis conducted an access control experiment and verification on the my.cnf sensitive file in the mysql container.(3)A container protection system is designed and implemented.Aiming at the security problems introduced by container running environment,a container security risk model is proposed.This security risk model analyzes the container’s potential risks from four aspects: container processes attacking containers,inter-container attacks,container attacks on the host,and host attacks on the container.Then based on the container security risk model,a container security protection framework is designed and implemented in the Docker environment.The framework takes into account the isolation and restriction characteristics of container technology,and implements comprehensive protection of the container environment from two aspects: container anomaly detection and access control.