| 基于eBPF的云环境下payload进程检测方法 |
| |
| 引用本文: | 王圣凯,阮树骅,汪邓喆.基于eBPF的云环境下payload进程检测方法[J].计算机应用研究,2023,40(7). |
| |
| 作者姓名: | 王圣凯 阮树骅 汪邓喆 |
| |
| 作者单位: | 四川大学 网络空间安全学院,四川大学 网络空间安全学院,四川大学 网络空间安全学院 |
| |
| 基金项目: | 国家自然科学基金区域基金重点项目(U19A2081);中央高校基础研究基金资助项目(2022SCU12116);四川大学理工科发展计划项目(2020SCUNG129) |
| |
| 摘 要: | 针对目前云环境下攻击载荷(Payload)所体现出的新特征以及目前检测方法性能损耗较高的问题,提出了一种利用eBPF技术在内核态检测反向连接类Payload进程从而定位被入侵容器的方法。该方法在内核态对服务端TCP连接进行监控,通过筛选TCP标志位定位疑似反向连接类Payload进程所在容器,并对该容器进程组后续访问文件行为进行追踪以控制损害。实验证明,该方法可以有效检出并定位被入侵容器,且其性能消耗极低,多线程性能Unixbench分数损耗仅为0.53%。
|
| 关 键 词: | eBPF sock连接分析 Payload检测 异常容器定位 访问文件监控 |
| 收稿时间: | 2022/11/22 0:00:00 |
| 修稿时间: | 2023/6/10 0:00:00 |
payload process detection method based on eBPF in cloud environment |
| |
| WANG Sheng-kai,RUAN Shu-hua and WANG Deng-zhe.payload process detection method based on eBPF in cloud environment[J].Application Research of Computers,2023,40(7). |
| |
| Authors: | WANG Sheng-kai RUAN Shu-hua and WANG Deng-zhe |
| |
| Affiliation: | College of Cybersecurity,Sichuan University,Chengdu,, |
| |
| Abstract: | Aiming at the new features of Payloads in the cloud environment and the high performance loss of current detection methods, this paper proposed a method using eBPF technology to detect reverse connected Payloads in the kernel state to locate the invaded container. This method monitored the TCP connection of the server in the kernel state, located the container of the suspected reverse connection class Payload process by filtering the TCP flag bit, and tracked the subsequent file access behavior of the container process group to control the damage. Experiments show that this method can effectively detect and locate the intruded container, and its performance consumption is extremely low. The multi-threaded performance Unixbench score loss is only 0.53%. |
| |
| Keywords: | eBPF sock connection analysis Payload detection abnormal container location access file monitoring |
|
| 点击此处可从《计算机应用研究》浏览原始摘要信息 |
|
点击此处可从《计算机应用研究》下载全文 |
