Search

CN-121681181-B - Container abnormality detection method and electronic equipment

CN121681181BCN 121681181 BCN121681181 BCN 121681181BCN-121681181-B

Abstract

The application discloses a container abnormality detection method and electronic equipment, and relates to the technical field of computers. The first detection model is based on static aggregation feature analysis corresponding to the performance indexes during container operation, does not depend on uniform fixed model parameters, dynamically generates corresponding abnormal degrees by combining the resource features of each container, can adapt to containers with different specifications, and realizes accurate preliminary screening. And (3) in the screened candidate abnormal containers, utilizing a second detection model to analyze the time sequence characteristics, introducing a behavior change trend of the time sequence dependency modeling container in the operation period, and identifying persistent abnormal behaviors such as slow attack or resource stealing which are difficult to detect by the static characteristics. The layering detection strategy for static aggregation feature screening and dynamic time sequence verification solves the technical problems of poor model adaptability and insufficient time sequence detection capability in the related technology, and achieves the technical effect of improving the adaptability and the detection depth of container anomaly detection.

Inventors

  • ZHANG BIN
  • ZHOU MEIQING

Assignees

  • 苏州元脑智能科技有限公司

Dates

Publication Date
20260512
Application Date
20251029

Claims (10)

  1. 1. A method for detecting abnormality of a container, comprising: Collecting performance indexes of a plurality of containers during operation; Calculating corresponding static aggregation characteristics according to the performance indexes for each container, and calculating corresponding first abnormality degree by adopting a first detection model, wherein the first detection model is configured to execute non-time sequence static aggregation characteristic analysis so as to screen candidate abnormal containers with deviating behaviors; If the first abnormality degree is greater than a first threshold value, judging that the container with the first abnormality degree greater than the first threshold value is a candidate abnormality container, and calculating a second abnormality degree of the candidate abnormality container by adopting a second detection model based on time sequence characteristics of the performance index in a time dimension, wherein the second detection model is configured to execute time sequence dependent behavior pattern analysis so as to screen out the abnormality container; Triggering an abnormal response strategy to the abnormal container if the second degree of abnormality is greater than a second threshold; the isolated forest model comprises a plurality of subtrees, wherein the threat abstract of each subtree is determined in a manner that the threat abstract of the subtree is determined according to the anomaly degree and the activity degree of the corresponding subtree, the anomaly degree is used for measuring the average deviation normal degree of samples isolated by the subtree, and the activity degree is used for measuring the relative frequency degree of events processed by the subtree in unit time; Wherein determining threat summaries of corresponding subtrees based on the anomaly and liveness of the subtrees comprises, based on Determining threat abstract of the subtree, threat _level being threat abstract, abnormality being anomaly degree, activity being activity degree.
  2. 2. The abnormality detection method for a container according to claim 1, characterized in that the maximum tree depth of the construction tree in the isolated forest model is dynamically determined based on the number of cores of the central processor of the target container.
  3. 3. The abnormality detection method of a container according to claim 2, characterized in that the maximum tree depth of the construction tree in the isolated forest model is determined by: Determining the maximum tree depth from depth = min (20, 10 x cpu_quota); depth is the maximum tree depth and CPU_quota is the core number of the central processor of the target container.
  4. 4. The abnormality detection method of a container according to claim 1, wherein the abnormality degree is determined in such a manner that: Obtaining the path length of each sample in the subtree reaching the root node, and calculating the average path length of all samples reaching the root node; and calculating the anomaly degree of the subtree according to the average path length and the preset maximum tree depth.
  5. 5. The anomaly detection method of the container according to claim 4, wherein calculating the anomaly degree of the subtree based on the average path length and a preset maximum tree depth comprises: Calculating the abnormality degree of the subtree according to abnormality =1-avg_path_length/max_depth; abnormality is the anomaly degree, avg_path_length is the average path length, and max_depth is the preset maximum tree depth.
  6. 6. The abnormality detection method of a container according to claim 1, wherein the liveness determination means is: Acquiring the event number of the subtrees in unit time; And calculating the liveness according to the event number and the baseline event frequency.
  7. 7. The anomaly detection method of a vessel of claim 6, wherein calculating the liveness from the number of events and a baseline event frequency comprises: calculating the liveness according to activity=min (1, sub_event_freq/base_freq); activity is the liveness, sub_event_freq is the number of events, and base_freq is the baseline event frequency.
  8. 8. The abnormality detection method for a container according to any one of claims 1 to 7, characterized in that collecting performance indicators of a plurality of said containers when they are operated, includes: Collecting performance indexes of a plurality of containers in operation by using a plurality of sliding windows with different scales; Calculating corresponding static aggregation characteristics according to the performance indexes, including: and calculating statistics of the performance indexes in the sliding window according to the sliding window of each scale, wherein the static aggregation characteristic at least comprises statistics corresponding to each sliding window.
  9. 9. The abnormality detection method for a container according to any one of claims 1 to 7, characterized by further comprising, after collecting performance metrics at the time of operation of a plurality of said containers: caching the performance index to a backup data channel; If the first abnormality degree is larger than the first threshold value, acquiring the performance index from the backup data channel to determine the time sequence characteristic of the performance index in the time dimension; And if the first abnormality degree is smaller than or equal to the first threshold value or the second abnormality degree is smaller than or equal to the second threshold value, cleaning the performance index in the backup data channel.
  10. 10. An electronic device, comprising: A memory for storing a computer program; a processor for implementing the steps of the abnormality detection method of a container according to any one of claims 1 to 9 when executing the computer program.

Description

Container abnormality detection method and electronic equipment Technical Field The present application relates to the field of computer technologies, and in particular, to a method for detecting abnormality of a container and an electronic device. Background With the popularization of cloud native technology, containers become core carriers for application deployment with the advantage of being lightweight and standardized. However, its dynamic, transient nature also introduces new security risks, making anomaly detection for the container critical. At present, the container anomaly detection technology in the related technology mainly adopts a machine learning method based on static resource indexes, when the machine learning method is applied to a container environment, model parameters of the machine learning method are usually in fixed configuration, the machine learning method cannot adapt to a scene with huge container resource specification difference, the problem that the container with low configuration is easy to misuse resources and the container with high configuration is insufficient in detection depth is easily caused, in addition, most of the method focuses on static characteristic data, the analysis capability of time-series behaviors is lacking, and continuous attacks (such as resource stealing) with long latency period and slow behaviors are difficult to effectively identify, so that security threats cannot be found in time. Disclosure of Invention The application provides a container abnormality detection method and electronic equipment, which at least solve the technical problems of poor model adaptability and insufficient time sequence detection capability in the related technology, and achieve the technical effect of improving the adaptability and the detection depth of container abnormality detection. The application provides an anomaly detection method of containers, which comprises the steps of collecting performance indexes of the containers during operation, calculating corresponding static aggregation characteristics according to the performance indexes, adopting a first detection model to calculate corresponding first anomaly degree, wherein the first detection model is configured to execute non-time-sequence static aggregation characteristic analysis to screen candidate anomaly containers with deviating behaviors, judging that the containers with the first anomaly degree larger than a first threshold are candidate anomaly containers if the first anomaly degree is larger than the first threshold, and calculating second anomaly degree of the candidate anomaly containers by adopting a second detection model based on time sequence characteristics of the performance indexes in a time dimension, wherein the second detection model is configured to execute time-sequence dependent behavior pattern analysis to screen the anomaly containers, and triggering an anomaly response strategy to the anomaly containers if the second anomaly degree is larger than the second threshold. The application also provides electronic equipment which comprises a memory and a processor, wherein the memory is used for storing a computer program, and the processor is used for realizing the steps of any container abnormality detection method when executing the computer program. The present application also provides a computer-readable storage medium having a computer program stored therein, wherein the computer program when executed by a processor implements the steps of the anomaly detection method of any of the containers described above. The application also provides a computer program product comprising a computer program which when executed by a processor implements the steps of the anomaly detection method of any one of the containers described above. According to the application, the first detection model is based on static aggregation characteristic analysis corresponding to the performance index during the operation of the container, does not depend on uniform fixed model parameters, and combines the resource characteristics of each container to dynamically generate corresponding abnormal degrees, so that the method can adapt to containers with different specifications and realize accurate preliminary screening. And (3) in the screened candidate abnormal containers, utilizing a second detection model to analyze the time sequence characteristics, introducing a behavior change trend of the time sequence dependency modeling container in the operation period, and identifying persistent abnormal behaviors such as slow attack or resource stealing which are difficult to detect by the static characteristics. The layering detection strategy for static aggregation feature screening and dynamic time sequence verification solves the technical problems of poor model adaptability and insufficient time sequence detection capability in the related technology, and achieves the technical effect of improving the adaptabi