Docker Image Security And Operation Anomaly Detection Research And Application

With the rapid development of cloud computing,container technology has become a popular technology for running multiple application services in a cluster environment or a single host.Docker container is one of the most widely used container technologies.It packages information such as application software,dependents and configuration files into images,and distributes applications in the form of images,which has high usage efficiency in the development and deployment stages.Unlike traditional virtual machines that run in a completely isolated environment,containers provide a lightweight isolated environment where containers running in the same host share the server operating system and kernel.In the past decade,the development and use of virtualization technology have exploded.Enterprises such as Alibaba,JD.com,and ByteDance have all begun to adopt Docker container technology,and potential container security problems have also followed.Container security is closely related to the user’s property security,and there are still major deficiencies in the research on Docker container security,and the demand for efficient and secure virtualization solutions is gradually increasing.In this context,by studying static image files and dynamic runtime containers,this paper proposes Docker Trusted Images Source Detection(DTISD)model and Docker Anomaly Detection Based on System call(DADBS)model.At first,the DTISD model is proposed to identify whether the Docker image source is trustworthy or not,because of the security issues such as image files containing high-risk vulnerabilities and malicious code.The model uses the baseline value to measure the image files,avoids repeated scanning of vulnerabilities through the parent-child dependency relationship between image files,and combines vulnerability information and metric information to determine whether the image source is trustworthy.The DTISD model is validated on the cloud server,and the results show that the DTISD model can effectively identify whether the Docker image source is trustworthy to avoid the use of toxic images.Secondly,a syscall-based anomaly detection model is proposed for the defect that traditional anomaly detection methods cannot effectively identify unknown attacks.The model uses the system call threat level and the TF-IDF algorithm to remove the redundant information of the system call.The model compares the system call sequence to natural language,introduces the LSTM language model into the anomaly detection scheme,and obtains an AUC value of 0.848 on the ADFA public data set,which is better than the existing anomaly detection models.Finally,the syscall-based anomaly detection is applied to the Docker container environment,and the DADBS model is proposed and its prototype system is implemented.DADBS builds a fine-grained system call dictionary based on container file features,which further improves the recall rate and precision of the anomaly detection model.Simulation experiments show that the model can effectively distinguish malicious and benign call sequences in actual attack scenarios.