Search

KR-102961262-B1 - METHOD AND APPARATUS FOR FINE-GRAINED PROCESS-LEVEL NETWORK ACCESS CONTROL IN CONTAINERS

KR102961262B1KR 102961262 B1KR102961262 B1KR 102961262B1KR-102961262-B1

Abstract

One aspect of the present invention discloses a method for granular process-level network access control within a container, performed by a monitoring system. The method for granular process-level network access control within a container includes the steps of: monitoring the creation event of each of a plurality of processes as they are created within the container; recording the behavior of the processes based on monitoring system call events of the processes using an Extended Berkeley Packet Filter (eBPF); and controlling network access for at least one of the processes based on a predefined security policy.

Inventors

  • 남재현
  • 김지수

Assignees

  • 단국대학교 산학협력단

Dates

Publication Date
20260511
Application Date
20250306
Priority Date
20250103

Claims (17)

  1. In a granular process-level network access control method within a container performed by a monitoring system, A step of monitoring the creation event of each of the processes as multiple processes are created within the container; A step of recording the behavior of the processes based on monitoring system call events of the processes using eBPF (Extended Berkeley Packet Filter); and A granular process-level network access control method within a container, comprising the step of controlling network access to at least one of the processes based on a predefined security policy.
  2. In claim 1, the step of controlling the network access is, A granular process-level network access control method within a container, comprising the step of blocking network access of at least one process based on detecting that the at least one process has violated the security policy.
  3. In Article 1, A granular process-level network access control method within a container, comprising: a monitoring system comprising a control node that generates, verifies, and distributes the security policy; and a worker node that receives the distributed security policy and monitors and controls the processes.
  4. In Paragraph 3, A granular process-level network access control method within a container, wherein the control node compares the security policy with a previously defined security policy to check for conflicts, and distributes the security policy to the worker node based on the result of checking for conflicts.
  5. In claim 3, the worker node is, A granular process-level network access control method within a container that performs processing and monitoring of the above security policy at the kernel level.
  6. In Article 1, The above system call event is a granular process-level network access control method within a container, including file access events and network access events.
  7. In Article 6, A granular process-level network access control method within a container, wherein the above network access event includes at least one of sys_enter_connect, sys_enter_sendto, and sys_enter_recvfrom.
  8. In Article 6, A granular process-level network access control method within a container, wherein the above file access event includes at least one of sys_enter_open, sys_enter_read, and sys_enter_write.
  9. In Article 1, The above security policy is a granular process-level network access control method within a container, defined at least one of the network layer, transport layer, and application layer at the process level.
  10. In claim 1, the step of monitoring the generation event is, A granular process-level network access control method within a container, further comprising the step of tracking parent-child relationships between processes based on the creation event of each of the processes.
  11. In claim 1, the step of recording the above act is, A step of storing information about the above system call event; A step of identifying the relationships between the processes based on configuring a hierarchical structure between the processes based on information regarding the system call event; A step of structuring the event flow by arranging information about the above system call events in chronological order; A step of matching security policy conditions for the above processes; and A granular process-level network access control method within a container, comprising the step of storing matched security policy conditions in kernel space.
  12. In claim 11, the step of controlling the network access is, Step of verifying IP and port through L3, L4 matching and discovering policy ID; Step of analyzing packets through payload scanning; and A granular process-level network access control method within a container, comprising the step of determining the security policy by combining the result of analyzing the packet and the security policy conditions.
  13. In Article 1, The above security policy is a granular process-level network access control method within a container, defined based on at least one of the process's file access history, network usage history, and parent process information.
  14. In claim 1, the step of monitoring the generation event is, A granular process-level network access control method within a container, comprising the step of monitoring at least one of sys_enter_clone and sys_exit_clone.
  15. In Article 1, The above security policy is a granular process-level network access control method within a container, defined by sequentially reflecting rules at the microservice level, container level, and process level.
  16. In a granular process-level network access control device within a container, Memory for storing eBPF; and A processor executing the above eBPF, comprising The above processor includes a policy generation unit that generates security policies for multiple processes within a container; A policy verification unit that verifies whether there is a conflict by comparing the above security policy with an existing policy; and A granular process-level network access control device within a container, comprising a policy distribution unit that distributes the above-mentioned verified security policy to worker nodes.
  17. In a monitoring device for granular process-level network access control within a container, Memory for storing eBPF; and A processor executing the above eBPF, comprising The above processor includes an event monitoring unit that monitors the creation event of each of the processes as a plurality of processes are created within a container; An action log that records the actions of the processes based on monitoring system call events of the processes using the above eBPF; and A monitoring device for granular process-level network access control within a container, comprising an access control unit that controls network access to at least one of the processes based on a received security policy.

Description

Method and apparatus for fine-grained process-level network access control in containers The present invention relates to a method and apparatus for granular process-level network access control within a container, and more specifically, to a method and apparatus that utilizes eBPF (Extended Berkeley Packet Filter) technology to track the behavior and relationships of processes within a container in real time and improve security by applying network policies at the process level. With the recent advancement of cloud computing and the active adoption of microservices architecture, the utilization of container technology is on the rise. Containers facilitate the deployment and management of applications and enable the efficient use of resources. However, the increasing number of containers and the complex network connections between them are posing new security threats. In particular, if the network access behavior of individual processes within a container is not finely controlled, they can be exploited as potential attack vectors. Existing network access control methods are primarily implemented at the container level, lacking granular control at the process level. This limits their ability to meet diverse security requirements for each process, and existing security solutions often fail to adequately consider the inherent behavior or context of processes, making it difficult to effectively detect and respond to security breaches. Access control utilizing Linux security modules or traditional network firewalls cannot reflect inter-process relationships or detailed behavior within containers, and may also suffer from a lack of flexibility. FIG. 1 is a conceptual diagram of a Uprobe operation structure according to one embodiment of the present invention. FIG. 2 is a conceptual diagram of a container file system structure according to one embodiment of the present invention. FIG. 3 is a conceptual diagram of a centralized collection and management system according to one embodiment of the present invention. FIG. 4 is a conceptual diagram of a method for storing duplicate files of OFS according to one embodiment of the present invention. FIG. 5 is an example diagram of a logging system operation screen according to an embodiment of the present invention. FIG. 6 is an exemplary diagram of a logging system security log database according to one embodiment of the present invention. Figure 7 is a conceptual diagram of another Kubernetes according to one embodiment of the present invention. FIG. 8 is an exemplary diagram of an information processing device according to one embodiment of the present invention. FIG. 9 is a diagram of a granular process-level network access control system within a container according to one embodiment of the present invention. Figure 10 is a diagram showing an example of nodes within a system. Figure 11 is a diagram showing an example of defining a security policy. Figure 12 is a diagram showing an example of implementing a security policy. Figure 13 is a diagram showing another example of implementing a security policy. Figure 14 is a diagram showing another example of implementing a security policy. FIG. 15 is a flowchart of a granular process-level network access control method within a container according to one embodiment of the present invention. FIG. 16 is a block diagram of a granular process-level network access control device within a container according to one embodiment of the present invention. FIG. 17 is a block diagram of a monitoring device for granular process-level network access control within a container according to one embodiment of the present invention. The present invention is capable of various modifications and may have various embodiments, and specific embodiments are illustrated in the drawings and described in detail. However, this is not intended to limit the invention to specific embodiments, and it should be understood that the invention includes all modifications, equivalents, and substitutions that fall within the spirit and scope of the invention. Terms such as "first," "second," etc., may be used to describe various components, but said components should not be limited by said terms. These terms are used solely for the purpose of distinguishing one component from another. For example, without departing from the scope of the present invention, the first component may be named the second component, and similarly, the second component may be named the first component. The term "and/or" includes a combination of multiple related described items or any one of the multiple related described items, and is non-exclusive unless otherwise indicated. When items are listed in this application, they are merely illustrative descriptions intended to facilitate the explanation of the spirit of the present invention and possible methods of implementation, and are therefore not intended to limit the scope of the embodiments of the present invention. In this specific