Go to DBLP homepageA high-performance real-time container file monitoring approach based on virtual machine introspection
Abstract: As cloud computing continues to advance and become an integral part of modern IT infrastructure, container security has emerged as a critical factor in ensuring the smooth operation of cloud-native applications. An attacker can attack the service in the container or even perform the container escape attack by tampering with the files. Monitoring container files is important for APT detection and cyberspace security. Existing file monitoring methods are usually based on host operating system or virtual machine introspection to protect file security in real-time. The methods based on the host operating system usually monitor file operations in the host operating system. However, when the container escapes to the host, the host operating system will no longer be secure, so these methods face the problem of weak security. The methods based on virtual machine introspection usually monitor the file operations in the virtual machine in real-time in the virtual machine monitor layer. Due to the strong isolation ability of the hypervisor, compared with the file monitoring based on the host operating system, the monitoring program in the virtual machine monitor layer is more secure. However, virtual machine introspection technology usually introduces high real-time monitoring overhead. Aiming at the problems of low security and high overload introduced in existing container file monitoring, a high-performance container file monitoring method based on virtual machine introspection is proposed. Based on the container-in-VM architecture, the virtual machine introspection technology is used to monitor the in-VM container files. Based on the isolation capability of the hypervisor, the security problems of security monitoring introduced by container escape attacks can be addressed. To reduce the monitoring overload introduced by file monitoring based on virtual machine introspection in container scenarios, a high-performance real-time file monitoring method based on memory monitoring is proposed. After analyzing the container file system, independent memory areas are initialized to store the memory cache of the monitored container files. Then, the virtual machine introspection technology is used to monitor the target memory areas, so as to capture and analyze the access operations to the target files. Since the monitored files are stored in separate memory areas, monitoring will not affect the read and write performance of other files in the container. The experimental results show that the proposed approach can effectively monitor the container files and introduce an acceptable monitoring overload.
Loading