Container host-based security protection method and device, and electronic device

By monitoring and managing the permissions and commands of the container host machine account, the potential privilege escalation issue after SSH login is resolved, thus achieving security protection of the host machine, preventing malicious logins, and maintaining normal operation.

CN114912104BActive Publication Date: 2026-06-05TENCENT TECHNOLOGY (SHENZHEN) CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
TENCENT TECHNOLOGY (SHENZHEN) CO LTD
Filing Date
2021-02-09
Publication Date
2026-06-05

AI Technical Summary

Technical Problem

In existing technologies, after a user logs into the container host machine via SSH, they may exploit host machine vulnerabilities to escalate privileges and obtain greater permissions, resulting in insufficient host machine security.

Method used

By monitoring the permissions and executed commands of the target account, it is determined whether it is used to infiltrate the container. If it is not used to infiltrate the container, it is forcibly logged out. If it is used to infiltrate the container, it remains logged in. A dedicated shell program is used to monitor and verify command parameters to ensure security.

Benefits of technology

It effectively prevents malicious account intrusion and attacks, improves host machine security, and does not interfere with normal container use, providing dual security protection.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN114912104B_ABST
    Figure CN114912104B_ABST
Patent Text Reader

Abstract

The present disclosure provides a container host-based security protection method, device and electronic equipment, and relates to the technical field of security. The method comprises the following steps: determining that a target account has at least one of the following permissions: a permission of using a target container and a permission of logging into a host machine, wherein the container is stored in the host machine; in response to the target account logging into the host machine, monitoring an execution command of the target account in the host machine; determining whether the target account is used to cut into the container in the host machine through a monitoring result; and in response to the target account not being used to cut into the container in the host machine, logging out the target account in the host machine. The technical scheme provided by the present disclosure provides the first guarantee for the security of the host machine through the permission confirmation, and provides another guarantee for the security of the host machine by managing the login state of the account logging into the host machine. Therefore, the host machine can be prevented from being invaded or attacked by a maliciously logged-in account to some extent, and the security of the host machine is effectively improved.
Need to check novelty before this filing date? Find Prior Art