CN118101342A - Cluster log audit and attack behavior blocking method and system - Google Patents
Cluster log audit and attack behavior blocking method and system Download PDFInfo
- Publication number
- CN118101342A CN118101342A CN202410492446.4A CN202410492446A CN118101342A CN 118101342 A CN118101342 A CN 118101342A CN 202410492446 A CN202410492446 A CN 202410492446A CN 118101342 A CN118101342 A CN 118101342A
- Authority
- CN
- China
- Prior art keywords
- webhook
- attack
- current behavior
- application program
- admission
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 title claims abstract description 40
- 230000000903 blocking effect Effects 0.000 title claims abstract description 38
- 238000012550 audit Methods 0.000 title claims description 26
- 230000006399 behavior Effects 0.000 claims abstract description 123
- 238000012795 verification Methods 0.000 claims abstract description 20
- 238000001514 detection method Methods 0.000 claims abstract description 8
- 230000008859 change Effects 0.000 claims description 15
- 238000004590 computer program Methods 0.000 claims description 8
- 230000003993 interaction Effects 0.000 claims description 4
- 238000012217 deletion Methods 0.000 claims description 3
- 230000037430 deletion Effects 0.000 claims description 3
- 238000012986 modification Methods 0.000 claims description 3
- 230000004048 modification Effects 0.000 claims description 3
- 230000004044 response Effects 0.000 claims description 2
- 238000012552 review Methods 0.000 claims 2
- 239000000306 component Substances 0.000 description 8
- 230000006870 function Effects 0.000 description 7
- 230000008569 process Effects 0.000 description 5
- 238000012545 processing Methods 0.000 description 5
- 230000000694 effects Effects 0.000 description 3
- 238000013475 authorization Methods 0.000 description 2
- 239000008358 core component Substances 0.000 description 2
- 238000010586 diagram Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 238000004140 cleaning Methods 0.000 description 1
- 238000004891 communication Methods 0.000 description 1
- 238000013524 data verification Methods 0.000 description 1
- 230000036541 health Effects 0.000 description 1
- 230000007774 longterm Effects 0.000 description 1
- 238000007726 management method Methods 0.000 description 1
- 238000013507 mapping Methods 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012544 monitoring process Methods 0.000 description 1
- 230000003287 optical effect Effects 0.000 description 1
- 238000006467 substitution reaction Methods 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Landscapes
- Debugging And Monitoring (AREA)
Abstract
The application discloses a method and a system for auditing and blocking attack behaviors of a cluster log, which relate to the technical field of computer and network security and comprise the following steps: acquiring an application program interface request and invoking an admission webhook of the changed nature to pass the application program interface request to an admission webhook of the changed nature; analyzing an application program interface request contained in the admittance webhook of the changed property to obtain current behavior flow, and judging whether an attack behavior exists in the current behavior according to a preset safety rule; if so, informing admission webhook of the verification property to block the current behavior and converting the current behavior traffic into a log file. The application supports hot plug, has wider compatibility to the system and does not need cluster restarting; the method also supports blocking operation when an event occurs, namely, the current behavior is blocked when the safety risk behavior exists in the current behavior is detected; meanwhile, higher rule expansibility is supported, and behavior detection of most security attacks can be met.
Description
Technical Field
The application relates to the technical field of computer and network security, in particular to a cluster log audit and attack behavior blocking method and system.
Background
Kubernetes K8S for short is an open-source container orchestration platform that provides a native log form-Audit (audiot) that records access to cluster resources and event information that occurs in the clusters. Most cloud manufacturers adopt the method to detect the health condition of the cluster and whether the cluster is subjected to network security attack by collecting logs, cleaning data or matching rules and the like, but the K8S cluster can send a large amount of useless data by the method, so that a processor core cannot be effectively utilized, hot plug cannot be realized, when the configuration file of the cluster needs to be modified by the native log system, the configuration file is reloaded after the cluster is restarted, the detection events are fewer, and for certain security attacks, the native log function limits the types of rules which can be matched, so that rule writing has a certain limitation.
Disclosure of Invention
The application provides a cluster log auditing and attack behavior blocking method, which aims to solve the problems that the method for detecting whether a cluster is under security attack in the prior art has low resource utilization rate, can not realize hot plug and has fewer detection events.
In order to achieve the above purpose, the present application adopts the following technical scheme:
the application discloses a cluster log auditing and attack behavior blocking method, which comprises the following steps:
acquiring an application program interface request and invoking an admission webhook of a changed nature to pass the application program interface request to an admission webhook of the changed nature;
Analyzing an application program interface request contained in the admittance webhook of the changed property to obtain current behavior flow, and judging whether an attack behavior exists in the current behavior according to a preset safety rule;
When an attack exists, the admission webhook notifying the verification property blocks the current behavior and converts the current behavior flow into a log file.
Preferably, the method further comprises:
And expanding a new entry of the resource category supported by the admission webhook of the change property or a specified custom resource type through interaction of the cluster official SDK and a cluster application program interface.
Preferably, said passing said application program interface request to said admittance webhook of said changed nature comprises:
The data objects in the application program interface request are passed to the admission webhook of the altered nature, the data objects including application program interface request paths, resources, and behavior.
Preferably, the analyzing the application program interface request included in the admittance webhook of the modification property to obtain the current behavior flow, and judging whether the current behavior has an attack behavior according to a preset security rule includes:
Analyzing the data object requested by the application program interface contained in the admittance webhook of the changed property to obtain the current behavior flow;
And matching the current behavior with a preset security rule, and if the current behavior is matched with at least one preset security rule, determining that an attack behavior exists in the current behavior, wherein the preset security rule comprises detection of a sensitive directory mounting event, a privileged container event and a carrying large-authority account number.
Preferably, when there is an attack, the method further comprises, before blocking the current behavior by the admission webhook notifying the verification property:
When the current behavior comprises an attack behavior, determining an attack event, and sending the attack event IP to a cluster application program interface server;
And when the current behavior does not have the attack behavior, sending a normal event IP to the cluster application program interface server.
Preferably, when there is an attack, the method further comprises, before blocking the current behavior by the admission webhook notifying the verification property:
And the cluster application program interface server judges whether the attack behavior exists in the current behavior again.
Preferably, the blocking of the current behavior by the admission webhook of the verification property includes:
Intercepting an application program interface request reaching a cluster application program interface server, wherein the application program interface request comprises a cluster creation request, an update request or a deletion request, and when a blocking notification is received, rejecting the application program interface request by returning a corresponding error response.
A clustered log audit and attack blocking system comprising:
A control admission module, including an admission webhook of a change nature and an admission webhook of a verification nature, for obtaining an application program interface request and invoking an admission webhook of the change nature to pass the application program interface request to an admission webhook of the change nature, and invoking an admission webhook of the verification nature to block a current behavior when there is an attack in the current behavior;
The rule engine module is used for analyzing the application program interface request contained in the admittance webhook of the change property to obtain the current behavior flow, judging whether an attack behavior exists in the current behavior according to a preset safety rule, and if so, notifying the admittance webhook of the verification property to block the current behavior;
And the log analysis module is used for converting the current behavior flow into a log file.
An electronic device comprising a memory and a processor, the memory to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a clustered journal audit and attack blocking method according to any of the preceding claims.
A computer readable storage medium storing a computer program which, when executed by a computer, causes the computer to implement a cluster log audit and attack blocking method according to any of the preceding claims.
The invention has the following beneficial effects:
The application supports hot plug, has wider compatibility to the system and does not need cluster restarting; the method also supports blocking operation when an event occurs, namely, the current behavior is blocked when the safety risk behavior exists in the current behavior is detected; meanwhile, higher rule expansibility is supported, and behavior detection of most security attacks can be met.
Drawings
In order to more clearly illustrate the embodiments of the application or the technical solutions of the prior art, the drawings which are used in the description of the embodiments or the prior art will be briefly described, it being obvious that the drawings in the description below are only some embodiments of the application, and that other drawings can be obtained according to these drawings without inventive faculty for a person skilled in the art.
FIG. 1 is a flow chart of a cluster log audit and attack blocking method of the present application;
FIG. 2 is a schematic diagram of a cluster log audit and attack blocking device according to the present application;
fig. 3 is a schematic diagram of an electronic device for implementing a method for auditing cluster logs and blocking attack behaviors.
Detailed Description
The following description of the embodiments of the present application will be made clearly and fully with reference to the accompanying drawings, in which it is evident that the embodiments described are only some, but not all embodiments of the application. All other embodiments, which can be made by those skilled in the art based on the embodiments of the application without making any inventive effort, are intended to be within the scope of the application.
The terms "first," "second," and the like in the claims and the description of the application, are used for distinguishing between similar objects and not necessarily for describing a particular sequential or chronological order, and it is to be understood that the terms so used may be interchanged, if appropriate, merely to describe the manner in which objects of the same nature are distinguished in the embodiments of the application by the description, and furthermore, the terms "comprise" and "have" and any variations thereof are intended to cover a non-exclusive inclusion, such that a process, method, system, article, or apparatus that comprises a list of elements is not necessarily limited to those elements but may include other elements not expressly listed or inherent to such process, method, article, or apparatus.
The Kubernetes API, i.e., the cluster application program interface, is a resource-based (RESTful) programming interface provided by the hypertext transfer protocol HTTP that supports the retrieval, creation, updating, or deletion of primary resources by standard HTTP verbs such as POST, PUT, PATCH, DELETE and GET, while almost all of the Kubernetes behavior operates through RESTful programming interfaces such as resource operations and authentication authorizations.
Most Kubernetes API resource types are objects that represent specific instances of a concept on a cluster, which are important components of Kubernetes, where instance objects specifically include deployment Deployment, service Services, and namespaces NAMESPACES, among others.
Meanwhile, in the current Kubernetes architecture, API SERVER, namely an application program interface server plays a core role in Kubernetes, is responsible for providing a network application interface REST API based on the HTTP protocol for cluster management, provides functions of authentication authorization, data verification, cluster state change and the like, ensures the security of the whole cluster, and is also a central hub for communication among various modules in the cluster. All operations on the cluster, such as querying and managing resource objects such as container groups Pod and Service, etc., must pass through API SERVER. API SERVER is also responsible for interacting with the distributed key value storage system etcd, storing the running data of the cluster, and serving as an API entry of the cluster. It is also one of the control plane components of the cluster, exposing the Kubernetes API, allowing users and other components to operate on the cluster through the API. Therefore, the flow is analyzed through API SERVER, and the flow is stored in the database after the analysis is completed, and finally the data processing is performed to form a log message.
The application provides a cluster log audit and attack behavior blocking method and system based on API SERVER control access function, which realize monitoring of flow information in a cluster, detect certain security attacks, achieve the effect of blocking in real time, and analyze flow to form log so as to facilitate post audit.
Example 1
As shown in fig. 1, the application provides a cluster log audit and attack blocking method, which comprises the following steps:
S110, acquiring an application program interface request and calling an admission webhook of a changed property to transmit the application program interface request to an admission webhook of the changed property;
S120, analyzing an application program interface request contained in the admittance webhook of the changed property to obtain current behavior flow, and judging whether an attack behavior exists in the current behavior according to a preset safety rule;
And S130, when an attack behavior exists, notifying admission webhook of verification property to block the current behavior, and converting the current behavior flow into a log file.
In embodiment 1, kubernetes API SERVER provides a control admission function that provides a method, namely admission webhook, which is an HTTP callback mechanism for receiving and processing admission requests, two types of admission Webhook can be defined: verifying property admission webhook, VALIDATING ADMISSION WEBHOOK, and changing property admission webhook, mutating Admission Webhook, the traffic is mirrored, but instead, changing property admission webhook is invoked first, i.e., when a user or other component initiates an API request, the request is sent to Kubernetes API SERVER first, in the course of admission control, kubernetes API SERVER invokes configured changing property admission webhook and passes object data in the API request to it when changing property admission webhook is invoked, wherein the data object includes an application program interface request path, resources, actions, etc., and in effect Kubernetes API SERVER actively invokes changing property admission webhook interface and passes object data in the API request to it to obtain the result of processing the API request. Thus, instead of directly listening to network traffic to obtain requests, admission webhook of the changed nature actively invokes the interface it provides to obtain request data through Kubernetes API SERVER and performs the corresponding logic on that basis.
Further, the resource category newly added entry or the specified custom resource type supported by the admission webhook of the change property is extended through the interaction of the cluster official SDK with the cluster application program interface.
However, only some problems still exist, such as the admission webhook of the changing property to acquire the traffic in the cluster, and only partial resource types such as the container group Pod, the service, the deployment Deployments, the configuration mapping ConfigMaps and the like are supported by default, so that in order to solve the problem, in this embodiment, the resource type newly added entry INGRESSES or the designated custom resource type supported by the admission webhook of the changing property is expanded through the interaction of the Kubernetes official SDK and the Kubernetes API when the deployment starts, thereby ensuring the integrity of acquiring the traffic. The embodiment supports higher rule expansibility and can meet the detection of most security attack behaviors.
Further, analyzing the data object requested by the application program interface contained in the admittance webhook of the changed property to obtain the current behavior flow;
And matching the current behavior with a preset security rule, and if the current behavior is matched with at least one preset security rule, determining that an attack behavior exists in the current behavior, wherein the preset security rule comprises detection of a sensitive directory mounting event, a privileged container event and a large-authority sa account carried.
The rule engine is loaded, the rule engine obtains the traffic sent by the access webhook with changed properties, the traffic comprises specific data objects such as an API request path, resources, behaviors and the like, the data objects are analyzed to determine the current behavior traffic, then preset security rules are matched with the current behaviors, the preset security rules can be custom-defined or default, the preset security rules do not have excessive restrictions, the preset security rules in the embodiment comprise attack event behaviors such as a sensitive directory mount event, a privileged container event and a large-authority sa account carried, if the current behaviors are matched with at least one preset security rule, the attack behaviors are determined to exist in the current behaviors, the attack events are confirmed, then an alarm is given, and the attack event IP is sent to the access webhook with verified properties to inform the access webhook with verified properties to perform attack blocking, if the attack behaviors do not exist in the current behaviors, the normal event IP is directly sent to the Kubernetnes API SERVER.
Further, when the current behavior comprises an attack behavior, determining an attack event, and sending the attack event IP to a cluster application program interface server;
And when the current behavior does not have the attack behavior, sending a normal event IP to the cluster application program interface server.
In fact, the message including the attack event IP sent by the rule engine reaches Kubernetes API SERVER first, in order to improve accuracy of the judgment result, kubernetes API SERVER determines whether there is an attack in the current behavior again, which is the prior art, and is not described herein in detail, if the judgment result is yes, kubernetes API SERVER invokes verification property permission webhook to block the current behavior. The embodiment supports blocking operation when an event occurs, namely, blocking the current behavior when the current behavior is detected to have a safety risk behavior.
However, whatever the result of the determination of Kubernetes API SERVER is, the current behavior traffic is finally converted into a log file, specifically, the current behavior traffic is first obtained from the admittance webhook of the changed property, as follows:
{ "kind": "Deployment", "apiVersion": "apps/v1", "metadata": { "name": "nginx-deployment", "namespace": "default", "labels": { "app": "nginx" } }, "spec": { "replicas": 3, "selector": { "matchLabels": { "app": "nginx" } }, "template": { "metadata": { "labels": { "app": "nginx" } }, "spec": { "containers": [ { "name": "nginx", "image": "nginx:1.14.2", "ports": [ { "containerPort": 80 } ] } ]} } } }, Here, kined specifies the type of Kubernetes resource, here one Deployment; apiVersion designates a version of the Kubernetes API, here "Apps/v1", indicating that the first version of the Apps API was used; metadata includes metadata information of a resource, such as a name, a namespace, and a tag, where name is the name of the resource, "nginx-depoyment" here, nasspace is the namespace to which the resource belongs, "default" here, and labes is the tag of the resource, which is used to identify and classify the resource, "app" here, "nginx" indicates that Deployment is used to deploy the nginx application; the spec specifies the specification of the deployment, including the number of copies and the Pod template, wherein replicas specifies the number of copies of the Pod to be created, here 3, selector is a tag selector for selecting the Pod to be controlled, matchLabels specifies the tag of the Pod to be selected, here select the Pod with "app" to "tag, template specifies the template for creating the Pod, metadata in the template specifies metadata information of the Pod, including tags, labels specifies the tag of the Pod, here also" app "to" nginx ", spec specifies the specification of the Pod, including containers, containers specify a list of containers in the Pod, name is the name of a container, image specifies the mirror image used by the container, here" nginx:1.14.2", representing 1.14.2 versions of the mirror image using nginx; ports specify the port configuration of the container, containerPort specifies the port in the container to listen, here 80 ports, for HTTP services.
Then, according to the format and characteristics of the data, the collected original data is analyzed into various fields and attributes, such as resource types, mirror image lists, space to which the resources belong, and the like, and finally the information is combined and spliced into a log file and stored. The embodiment supports hot plug, has higher compatibility to the system and does not need cluster restarting.
It should be noted here in particular that:
Under the general condition, most manufacturers adopt the original log audit of the Kubernetes, firstly, a log data address is newly received in a core configuration file of the Kubernetes API SERVER, and when a database is read by a Kubernetes log module to form a log, the log is sent to a place of configuration, but the process has some problems, such as the Kubernetes is used as a cloud original core component tool, long-term stable operation is definitely very important, but an original log audit function needs to configure the configuration file of a core component of the Kubernetes API SERVER, the configuration file needs to be loaded by the Kubernetes, and the configuration failure can cause the overall failure of the Kubernetes, which can definitely increase a plurality of risks; meanwhile, certain attack behaviors cannot be blocked, and certain security rules are built in the Kubernetes, so that only logs and partial security attack events can be reported; and the transmission of Kubernetes native log audits over multiple flows can also result in some performance loss. These problems are not present in the present embodiment.
Example 2
As shown in fig. 2, the cluster log audit and attack blocking system includes a control admittance module, a rule engine module and a log analysis module, wherein:
The control admission module comprises an admission webhook of a change property and an admission webhook of a verification property, and is used for acquiring an application program interface request and calling the admission webhook of the change property to transmit the application program interface request to the admission webhook of the change property, and calling the admission webhook of the verification property to block the current behavior when the attack behavior exists in the current behavior;
The rule engine module is configured to parse an application program interface request included in the admittance webhook of the modification property to obtain a current behavior flow, determine whether an attack behavior exists in the current behavior according to a preset security rule, and if so, notify the admittance webhook of the verification property to block the current behavior;
The log analysis module is used for converting the current behavior flow into a log file.
In the embodiment, a self-grinding module, namely a rule engine module and a log analysis module, is added between the Kubernetes API SERVER and the database storage, and the effects of log audit and blocking attack behaviors are realized while the hot plug is realized by utilizing the control access function of the Kubernetes API SERVER without restarting.
Example 3
As shown in fig. 3, an electronic device includes a memory 301 and a processor 302, where the memory 301 is configured to store one or more computer instructions, and the one or more computer instructions are executed by the processor 302 to implement a cluster log audit and attack blocking method described above.
It will be clearly understood by those skilled in the art that, for convenience and brevity of description, the specific working process of the electronic device described above may refer to the corresponding process in the foregoing method embodiment, which is not described herein again.
A computer readable storage medium storing a computer program which, when executed by a computer, causes the computer to implement a cluster log audit and attack blocking method as described above.
By way of example, a computer program may be divided into one or more modules/units stored in the memory 301 and executed by the processor 302 and completed by the input interface 305 and the output interface 306 to complete the present invention, and one or more modules/units may be a series of computer program instruction segments capable of performing specific functions for describing the execution of the computer program in a computer device.
The computer device may be a desktop computer, a notebook computer, a palm computer, a cloud server, or the like. The computer device may include, but is not limited to, a memory 301, a processor 302, it will be understood by those skilled in the art that the present embodiment is merely an example of a computer device and is not limiting of a computer device, may include more or fewer components, or may combine certain components, or different components, e.g., a computer device may also include an input 307, a network access device, a bus, etc.
The Processor 302 may be a central processing unit (Central Processing Unit, CPU), but may also be other general purpose processors 302, digital signal processors 302 (DIGITAL SIGNAL Processor, DSP), application SPECIFIC INTEGRATED Circuit (ASIC), off-the-shelf Programmable gate array (Field-Programmable GATE ARRAY, FPGA) or other Programmable logic devices, discrete gate or transistor logic devices, discrete hardware components, or the like. The general purpose processor 302 may be a microprocessor 302 or the processor 302 may be any conventional processor 302 or the like.
The memory 301 may be an internal storage unit of the computer device, such as a hard disk or a memory of the computer device. The memory 301 may also be an external storage device of the computer device, such as a plug-in hard disk, a smart memory card (SMART MEDIA CARD, SMC), a Secure Digital (SD) card, a flash memory card (FLASH CARD) or the like, and further, the memory 301 may also include an internal storage unit of the computer device and an external storage device, the memory 301 may be used to store computer programs and other programs and data required by the computer device, and the memory 301 may also be used to temporarily store the programs and data in the output device 308, where the foregoing storage media include a usb disk, a removable hard disk, a read-only memory ROM303, a random access memory RAM304, a disk or an optical disk, and other various media that can store program codes.
The foregoing is merely illustrative of specific embodiments of the present invention, and the scope of the present invention is not limited thereto, but any changes or substitutions within the technical scope of the present invention should be covered by the scope of the present invention. Therefore, the protection scope of the present invention shall be subject to the protection scope of the claims.
Claims (10)
1. The cluster log auditing and attack behavior blocking method is characterized by comprising the following steps of:
acquiring an application program interface request and invoking an admission webhook of a changed nature to pass the application program interface request to an admission webhook of the changed nature;
Analyzing an application program interface request contained in the admittance webhook of the changed property to obtain current behavior flow, and judging whether an attack behavior exists in the current behavior according to a preset safety rule;
When an attack exists, the admission webhook notifying the verification property blocks the current behavior and converts the current behavior flow into a log file.
2. The cluster log audit and attack blocking method according to claim 1 further comprising:
And expanding a new entry of the resource category supported by the admission webhook of the change property or a specified custom resource type through interaction of the cluster official SDK and a cluster application program interface.
3. The cluster log audit and attack blocking method according to claim 1 wherein said passing the application program interface request to the admission webhook of the changed nature includes:
The data objects in the application program interface request are passed to the admission webhook of the altered nature, the data objects including application program interface request paths, resources, and behavior.
4. The method for cluster log audit and attack blocking according to claim 3, wherein the analyzing the application program interface request included in the admittance webhook of the modification property to obtain the current behavior flow, and judging whether the attack exists in the current behavior according to the preset security rule includes:
Analyzing the data object requested by the application program interface contained in the admittance webhook of the changed property to obtain the current behavior flow;
And matching the current behavior with a preset security rule, and if the current behavior is matched with at least one preset security rule, determining that an attack behavior exists in the current behavior, wherein the preset security rule comprises detection of a sensitive directory mounting event, a privileged container event and a carrying large-authority account number.
5. The method for cluster log review and attack blocking-up according to claim 1, wherein when an attack exists, notifying admission webhook of verification properties to block up the current behavior further comprises:
When the current behavior comprises an attack behavior, determining an attack event, and sending the attack event IP to a cluster application program interface server;
And when the current behavior does not have the attack behavior, sending a normal event IP to the cluster application program interface server.
6. The method for cluster log review and attack blocking-up according to claim 5, wherein notifying admission webhook of verification properties before blocking up the current behavior when an attack exists further comprises:
And the cluster application program interface server judges whether the attack behavior exists in the current behavior again.
7. The cluster log audit and attack blocking method according to claim 1 wherein the admission webhook of the verification nature blocks the current behavior, including:
Intercepting an application program interface request reaching a cluster application program interface server, wherein the application program interface request comprises a cluster creation request, an update request or a deletion request, and when a blocking notification is received, rejecting the application program interface request by returning a corresponding error response.
8. A clustered journal audit and attack blocking system comprising:
A control admission module, including an admission webhook of a change nature and an admission webhook of a verification nature, for obtaining an application program interface request and invoking an admission webhook of the change nature to pass the application program interface request to an admission webhook of the change nature, and invoking an admission webhook of the verification nature to block a current behavior when there is an attack in the current behavior;
The rule engine module is used for analyzing the application program interface request contained in the admittance webhook of the change property to obtain the current behavior flow, judging whether an attack behavior exists in the current behavior according to a preset safety rule, and if so, notifying the admittance webhook of the verification property to block the current behavior;
And the log analysis module is used for converting the current behavior flow into a log file.
9. An electronic device comprising a memory and a processor, the memory to store one or more computer instructions, wherein the one or more computer instructions are executed by the processor to implement a cluster log audit and attack blocking method according to any of claims 1-7.
10. A computer readable storage medium storing a computer program, wherein the computer program causes a computer to execute a cluster log audit and attack blocking method according to any of claims 1 to 7.
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410492446.4A CN118101342A (en) | 2024-04-23 | 2024-04-23 | Cluster log audit and attack behavior blocking method and system |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202410492446.4A CN118101342A (en) | 2024-04-23 | 2024-04-23 | Cluster log audit and attack behavior blocking method and system |
Publications (1)
Publication Number | Publication Date |
---|---|
CN118101342A true CN118101342A (en) | 2024-05-28 |
Family
ID=91155542
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
CN202410492446.4A Pending CN118101342A (en) | 2024-04-23 | 2024-04-23 | Cluster log audit and attack behavior blocking method and system |
Country Status (1)
Country | Link |
---|---|
CN (1) | CN118101342A (en) |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180115595A1 (en) * | 2016-10-26 | 2018-04-26 | International Business Machines Corporation | Generic and configurable technique for webhook validation with arbitrary applications |
CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
CN115237541A (en) * | 2022-07-29 | 2022-10-25 | 济南浪潮数据技术有限公司 | Audit log generation method and related components |
CN115348086A (en) * | 2022-08-15 | 2022-11-15 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
CN116561755A (en) * | 2022-01-27 | 2023-08-08 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device of cloud API, computer equipment and storage medium |
US20230319112A1 (en) * | 2022-04-05 | 2023-10-05 | Sophos Limited | Admission control in a containerized computing environment |
CN117319032A (en) * | 2023-09-27 | 2023-12-29 | 宁夏金信光伏电力有限公司 | Network security active defense method and system |
-
2024
- 2024-04-23 CN CN202410492446.4A patent/CN118101342A/en active Pending
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20180115595A1 (en) * | 2016-10-26 | 2018-04-26 | International Business Machines Corporation | Generic and configurable technique for webhook validation with arbitrary applications |
CN113452717A (en) * | 2021-07-02 | 2021-09-28 | 安天科技集团股份有限公司 | Method and device for communication software safety protection, electronic equipment and storage medium |
CN116561755A (en) * | 2022-01-27 | 2023-08-08 | 腾讯科技(深圳)有限公司 | Vulnerability detection method and device of cloud API, computer equipment and storage medium |
US20230319112A1 (en) * | 2022-04-05 | 2023-10-05 | Sophos Limited | Admission control in a containerized computing environment |
CN115237541A (en) * | 2022-07-29 | 2022-10-25 | 济南浪潮数据技术有限公司 | Audit log generation method and related components |
CN115348086A (en) * | 2022-08-15 | 2022-11-15 | 中国电信股份有限公司 | Attack protection method and device, storage medium and electronic equipment |
CN117319032A (en) * | 2023-09-27 | 2023-12-29 | 宁夏金信光伏电力有限公司 | Network security active defense method and system |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
CN108683604B (en) | Concurrent access control method, terminal device, and medium | |
CN113489713B (en) | Network attack detection method, device, equipment and storage medium | |
US9455975B2 (en) | Techniques for managing credentials in a distributed computing environment | |
CN106778260B (en) | Attack detection method and device | |
IL275042A (en) | Self-adaptive application programming interface level security monitoring | |
US10341355B1 (en) | Confidential malicious behavior analysis for virtual computing resources | |
US8806643B2 (en) | Identifying trojanized applications for mobile environments | |
US9229758B2 (en) | Passive monitoring of virtual systems using extensible indexing | |
US10965680B2 (en) | Authority management method and device in distributed environment, and server | |
US20210141915A1 (en) | System for automatic classification and protection unified to both cloud and on-premise environments | |
WO2019144548A1 (en) | Security test method, apparatus, computer device and storage medium | |
US20220229657A1 (en) | Extensible resource compliance management | |
US8327324B1 (en) | Message logging system | |
CN110941632A (en) | Database auditing method, device and equipment | |
Liccardi et al. | Improving mobile app selection through transparency and better permission analysis | |
Liccardi et al. | Improving user choice through better mobile apps transparency and permissions analysis | |
US20230376610A1 (en) | Non-Intrusive Method of Detecting Security Flaws of a Computer Program | |
CN109189652A (en) | A kind of acquisition method and system of close network terminal behavior data | |
CN110503504B (en) | Information identification method, device and equipment of network product | |
CN114189383B (en) | Method, apparatus, electronic device, medium and computer program product for blocking | |
CN118101342A (en) | Cluster log audit and attack behavior blocking method and system | |
CN116126808A (en) | Behavior log recording method, device, computer equipment and storage medium | |
JP2017199250A (en) | Computer system, analysis method of data, and computer | |
CN114157662B (en) | Cloud platform parameter adaptation method, device, terminal equipment and storage medium | |
US20170293773A1 (en) | A report comprising a masked value |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PB01 | Publication | ||
PB01 | Publication | ||
SE01 | Entry into force of request for substantive examination | ||
SE01 | Entry into force of request for substantive examination |