In-container process abnormal behavior detection method and system

An anomaly detection and container technology, applied in the field of virtualization security, can solve problems such as difficult to determine uniformly, false positives or missed negatives, etc., and achieve the effect of improving detection rate, reducing false positive rate, and speeding up training speed

Active Publication Date: 2019-06-07
SICHUAN UNIV
View PDF4 Cites 11 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

(4) When measuring the abnormality of the current behavior of the process, the method of comparing the probability threshold and the occurrence probability of short sequences is often used, but it is difficult to uniformly determine this threshold in the actual application process, resulting in false positives or missed negatives

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • In-container process abnormal behavior detection method and system
  • In-container process abnormal behavior detection method and system
  • In-container process abnormal behavior detection method and system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0043] The present invention will be described in further detail below in conjunction with the accompanying drawings and specific embodiments.

[0044] attached figure 1 An overall architecture diagram of the abnormal behavior detection system of the process in the container based on the system call sequence and LSTM (Long Short-Term Memory, Long Short-Term Memory) in the present invention is given. Such as figure 1 As shown, the detection system can be used to detect the abnormal process system call behavior existing in the container, including the data acquisition module, data modeling module and abnormal detection module.

[0045] The data acquisition module is located at the host user layer outside the container. According to the ID of the specified container, it uses an agentless method to obtain information about all the processes running in the container, and monitors the runtime used to manage the life cycle of the container based on the ptrace system call. The carri...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

PUM

No PUM Login to view more

Abstract

The invention discloses an in-container process abnormal behavior detection method and system. A host machine user layer is provided; behaviors such as creation, operation and extinction of all processes in the container are perceived in real time in an agent-free monitoring mode; therefore, the system call behavior data of the full life cycle of the process is transparently acquired; semantic features of the sequence data is acquired by using an LSTM recurrent neural network; according to the method, a normal process behavior contour is described, and finally, two exception judgment methods are provided by adopting a mode of accumulating deviation in a local window, so that the regularity of process system calling behaviors can be expressed more stably, and the false alarm rate is effectively reduced while the detection rate is improved. Besides, in the modeling stage, the number of training samples is reduced on year-on-year basis according to the short sequence frequency called by mapping the same system, and the training speed of the model is increased, and the short sequence probability threshold value in the detection stage is self-defined in the mode of testing training data, and the workload of manual participation is reduced.

Description

technical field [0001] The invention relates to the technical field of virtualization security, in particular to a method and system for detecting abnormal behavior of a process in a container. Background technique [0002] With the rapid development of cloud computing technology, the security of cloud platforms has also received extensive attention from the industry. Different from the traditional virtualization technology that virtualizes hardware resources, container technology, as an emerging virtualization method, provides a more lightweight and efficient operating system-level virtual host environment. However, while the virtualization platform is widely used, the malicious process in the container can attack through the vulnerability of the container or the host kernel. It can escape to the host machine to obtain super user privileges and threaten the security of the entire cloud platform. [0003] Intrusion detection schemes based on system calls in traditional hos...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to view more

Application Information

Patent Timeline
no application Login to view more
Patent Type & Authority Applications(China)
IPC IPC(8): G06F21/55G06F9/455
Inventor 陈兴蜀金逸灵王玉龙蒋超金鑫王启旭
Owner SICHUAN UNIV
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Try Eureka
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap