阅读说明：本技术 一种文件检测方法、装置、存储介质及服务器 (File detection method and device, storage medium and server ) 是由 解培 袁曙光 王震 段鑫冬 于 2021-06-16 设计创作，主要内容包括：本发明实施例公开了一种文件检测方法、装置、存储介质及服务器,所述方法包括：检测当前正在运行的容器；获取所述容器内目标文件的属性信息,并将所述属性信息与文件数据库进行比对；其中,所述文件数据库中包含目标镜像内各个文件的文件信息,所述目标镜像为用于启动所述容器的镜像；当确定所述文件数据库中不存在与所述属性信息匹配的文件信息时,确定所述目标文件被修改。通过本发明实施例提供的技术方案,能够有效监控正在运行的容器内的目标文件是否被修改,有助于保证容器的安全性。(The embodiment of the invention discloses a file detection method, a file detection device, a storage medium and a server, wherein the method comprises the following steps: detecting a container currently in operation; acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container; when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified. By the technical scheme provided by the embodiment of the invention, whether the target file in the running container is modified or not can be effectively monitored, and the safety of the container is ensured.)

1. A method for file detection, comprising:

detecting a container currently in operation;

acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified.

2. The method of claim 1, wherein obtaining attribute information of the target file in the container comprises:

determining path information based on a preset blacklist rule;

searching a target file in the container based on the path information;

and determining the attribute information of the target file.

3. The method of claim 1, further comprising, prior to comparing the attribute information to a file database:

determining a target image for booting the container;

and acquiring file information of each file in the target mirror image, and constructing the file database based on the file information.

4. The method according to claim 1, before obtaining the attribute information of the target file in the container, further comprising:

monitoring whether the document in the container changes;

acquiring attribute information of the target file in the container, wherein the attribute information comprises the following steps:

and when the file in the container is monitored to be changed, acquiring the attribute information of the target file in the container.

5. The method of claim 1, after determining that the target file is modified, further comprising:

and performing alarm operation on the target file based on the attribute information.

6. The method according to any one of claims 1 to 5, wherein the attribute information includes at least one of a content of the file, a modification time of the file, a right of the file, an owner of the file, and a path of the file.

7. The method of claim 1, wherein the object file comprises a system configuration file and/or a system executable file.

8. A document sensing device, comprising:

the container detection module is used for detecting a container which is currently running;

the attribute information acquisition module is used for acquiring the attribute information of the target file in the container and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

and the target file detection module is used for determining that the target file is modified when determining that the file information matched with the attribute information does not exist in the file database.

9. A computer-readable storage medium, on which a computer program is stored, which, when being executed by a processing device, carries out the file detection method according to any one of claims 1 to 7.

10. A server comprising a memory, a processor and a computer program stored on the memory and executable on the processor, wherein the processor implements the file detection method according to any one of claims 1 to 7 when executing the computer program.

Technical Field

The embodiment of the invention relates to the technical field of computers, in particular to a file detection method, a file detection device, a storage medium and a server.

Background

Containers are changing the delivery mode of modern applications due to the convenience of deployment, and as container technology matures, more and more application services are running in containers. With the containerization of the application service, the security problem is also brought into the container, for example, the WEB service in the container is invaded, backdoor files, virus programs, mining programs and the like are left in the container, which can cause security risks such as information leakage, server resource exhaustion and the like.

Disclosure of Invention

Embodiments of the present invention provide a file detection method, an apparatus, a storage medium, and a server, which can effectively monitor whether a target file in an operating container is modified, and help to ensure the security of the container.

In a first aspect, an embodiment of the present invention provides a file detection method, including:

detecting a container currently in operation;

acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified.

In a second aspect, an embodiment of the present invention further provides a file detection apparatus, including:

the container detection module is used for detecting a container which is currently running;

the attribute information acquisition module is used for acquiring the attribute information of the target file in the container and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

and the target file detection module is used for determining that the target file is modified when determining that the file information matched with the attribute information does not exist in the file database.

In a third aspect, an embodiment of the present invention provides a computer-readable storage medium, on which a computer program is stored, where the computer program, when executed by a processor, implements the file detection method provided in the embodiment of the present invention.

In a fourth aspect, an embodiment of the present invention provides a server, including a memory, a processor, and a computer program stored on the memory and executable on the processor, where the processor executes the computer program to implement the file detection method according to the embodiment of the present invention.

According to the file detection scheme provided by the embodiment of the invention, a container which is currently running is detected; acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container; when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified. By the technical scheme provided by the embodiment of the invention, whether the target file in the running container is modified or not can be effectively monitored, and the safety of the container is ensured.

Drawings

FIG. 1 is a flowchart of a file detection method according to an embodiment of the present invention;

FIG. 2 is a flowchart of a file detection method according to another embodiment of the present invention;

FIG. 3 is a schematic structural diagram of a document detecting device according to another embodiment of the present invention;

fig. 4 is a schematic structural diagram of a server in another embodiment of the present invention.

Detailed Description

Embodiments of the present invention will be described in more detail below with reference to the accompanying drawings. While certain embodiments of the present invention are shown in the drawings, it should be understood that the present invention may be embodied in various forms and should not be construed as limited to the embodiments set forth herein, but rather are provided for a more thorough and complete understanding of the present invention. It should be understood that the drawings and the embodiments of the present invention are illustrative only and are not intended to limit the scope of the present invention.

It should be understood that the various steps recited in the method embodiments of the present invention may be performed in a different order and/or performed in parallel. Moreover, method embodiments may include additional steps and/or omit performing the illustrated steps. The scope of the invention is not limited in this respect.

The term "include" and variations thereof as used herein are open-ended, i.e., "including but not limited to". The term "based on" is "based, at least in part, on". The term "one embodiment" means "at least one embodiment"; the term "another embodiment" means "at least one additional embodiment"; the term "some embodiments" means "at least some embodiments". Relevant definitions for other terms will be given in the following description.

It should be noted that the terms "first", "second", and the like in the present invention are only used for distinguishing different devices, modules or units, and are not used for limiting the order or interdependence relationship of the functions performed by the devices, modules or units.

It is noted that references to "a", "an", and "the" modifications in the present invention are intended to be illustrative rather than limiting, and that those skilled in the art will recognize that reference to "one or more" unless the context clearly dictates otherwise.

The names of messages or information exchanged between devices in the embodiments of the present invention are for illustrative purposes only, and are not intended to limit the scope of the messages or information.

In the related art, malicious files are discovered through file searching and killing, and the detection process mainly comprises the following steps: and scanning the files in a full disk by using a virus Trojan rule base, and alarming the files hitting the rule base. The detection success rate of the method depends on the richness degree of the rule base, if the rule base does not contain the rules of relevant viruses, the detection cannot be carried out, only known malicious files can be detected, and unknown malicious files cannot be detected.

Fig. 1 is a flowchart of a file detection method according to an embodiment of the present invention, where the embodiment of the present invention is applicable to a case of detecting a file in a running container, and the method may be executed by a file detection apparatus, which may be composed of hardware and/or software and may be generally integrated in a server. As shown in fig. 1, the method specifically includes the following steps:

at step 110, a container currently in operation is detected.

The container is a light virtual technology on an operating system, and the application process in the container runs in an independent environment (including a process environment, a network environment, a file system environment and the like) by isolating the container from the running environment of a host system, and the environments of the containers are not influenced by each other. The operation container needs to use the mirror image as a file system for the operation of the operation container, the mirror image can be regarded as a packed layered file system, an executable program serving as an inlet is arranged in the layered file system, and the inlet program uses the file system of the mirror image as an environment for the operation of the container after being operated.

In the embodiment of the invention, the container which is currently running is detected every preset time length or in real time. Illustratively, in response to a file detection event being triggered, a detection engine is initiated, by which a container currently running is detected. Wherein the detection engine may be installed on the server node, and the inspection engine may be configured to detect the integrity of the files in all containers on the server node.

Step 120, acquiring attribute information of the target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container.

In the embodiment of the invention, during the operation process of the container, some files in the container can be modified according to the requirement, such as application program class files; while some files within the container cannot be modified, such as system configuration class files. In the embodiment of the invention, the file which is allowed to be modified in the container operation process can be called as a file which can be modified, and the file which is not allowed to be modified can be called as a file which can not be modified. If the files which cannot be modified in the running container are changed, the container has potential safety hazards. It is to be understood that the target file is a file that cannot be modified within the running container.

In the embodiment of the present invention, attribute information of a target file in a currently running container is obtained, where the attribute information may include at least one of content of the file, modification time of the file, authority of the file, owner of the file, and path of the file. The object files may include system configuration files and/or system executables. And acquiring a file database corresponding to the currently running container, wherein the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the currently running container. The containers currently running correspond to the target images one to one, that is, the containers currently running correspond to the file database one to one. The file information of each file in the target image contained in the file database may include at least one of content of the file, modification time of the file, authority of the file, owner of the file, and path of the file. And comparing the attribute information of the target file in the container with the file information of each file in the file database one by one so as to judge whether the file database has file information which is completely matched with the attribute information of the target file.

Step 130, when it is determined that the file information matched with the attribute information does not exist in the file database, determining that the target file is modified.

In the embodiment of the invention, when the file information which is completely matched with the attribute information of the target file does not exist in the file database, the target file is determined to be modified if the target file is changed relative to the file in the target image before the container runs. At this time, it can be further explained that the currently operating container has a safety hazard. When it is determined that the file information completely matched with the attribute information of the target file exists in the file database, it is described that the target file is not changed relative to the file in the target image before the container is operated, that is, the target file is not modified, and it is further described that the currently operating container does not have potential safety hazard.

Optionally, after determining that the target file is modified, the method further includes: and performing alarm operation on the target file based on the attribute information. Specifically, after it is determined that the target file is abnormally modified, the target file is alarmed based on the attribute information of the target file, for example, the attribute information of the target file and the alarm information that the target file is modified may be reported to the management platform through the API interface, or an email may be sent to an administrator through a preset configuration email address, where the email may include the attribute information of the target file and the alarm information that the target file is modified. The good point of the arrangement can help an administrator to find the potential risk of the container currently running in time.

The file detection method provided by the embodiment of the invention detects the container which is currently running; acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container; when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified. By the technical scheme provided by the embodiment of the invention, whether the target file in the running container is modified or not can be effectively monitored, and the safety of the container is ensured.

In some embodiments, obtaining attribute information of the target file within the container includes: determining path information based on a preset blacklist rule; searching a target file in the container based on the path information; and determining the attribute information of the target file. The method has the advantages that the attribute information of the target file in the currently running container can be accurately determined, and the integrity of the file which can be modified in the container is prevented from being detected. In the embodiment of the present invention, black and white list rules may be preconfigured, where the white list rules are used to filter file paths or directories that do not need to be detected (for ignoring file directories that are modified by the application in the container itself), and also may be used to modify file paths or directories, and the black list rules may be used to specify file paths or directories that need to be detected (usually, key directories such as/sys,/etc. and/etc. are specified, and these directories store important configuration files and executable files, which are directories that are frequently tampered by the virus trojan program), that is, file paths or directories that cannot be modified (target files). Specifically, the path information in the preset blacklist rule is determined, where the path information may include a path or a directory of a file. And then searching a corresponding target file in the currently running container based on the path information, and further acquiring the attribute information of the target file.

In some embodiments, before comparing the attribute information with a file database, the method further includes: determining a target image for booting the container; and acquiring file information of each file in the target mirror image, and constructing the file database based on the file information. Specifically, after a currently running container is detected, a target image corresponding to the currently running container is determined according to the association relationship between the container and the image, wherein the target image is an image used for starting the currently running container. The file information of each file in the target mirror image is obtained by scanning the file in the target mirror image, wherein the file information may include information such as HASH of file content, file modification time, file authority, file owner, file path and the like, and a file database corresponding to the target mirror image is constructed based on the file information, or it can be understood that the file database corresponding to the container is constructed based on the file information. The file database comprises file information of each file in the target mirror image.

In some embodiments, before obtaining the attribute information of the target file in the container, the method further includes: monitoring whether the document in the container changes; acquiring attribute information of the target file in the container, wherein the attribute information comprises the following steps: and when the file in the container is monitored to be changed, acquiring the attribute information of the target file in the container. The advantage of this arrangement is that the frequency of detection of the target file in the container currently in operation can be reduced on the premise of effectively ensuring the safety of the container. Specifically, whether the file in the currently running container changes is monitored every preset time or in real time, for example, the change operation of the file can be sensed in real time by monitoring the change of a file system in the container (the file change is monitored in real time by an existing mechanism inotify on linux). When the file in the container is monitored to be changed, the attribute information of the target file in the container is obtained, and the attribute information is compared with the file database to detect whether the target file is modified.

Fig. 2 is a flowchart of a file detection method according to another embodiment of the present invention. As shown in fig. 2, the method specifically includes the following steps:

step 210, detecting a container currently running.

Step 220, determine the target image for the boot container.

And step 230, acquiring file information of each file in the target mirror image, and constructing a file database based on the file information.

And 240, determining path information based on a preset blacklist rule, and searching a target file in the container based on the path information.

And step 250, determining the attribute information of the target file.

Step 260, comparing the attribute information with a file database.

And 270, when it is determined that the file information matched with the attribute information does not exist in the file database, determining that the target file is modified, and performing alarm operation on the target file based on the attribute information.

The file detection method provided by the embodiment of the invention can effectively monitor whether the target file in the running container is modified or not, is beneficial to ensuring the safety of the container, can accurately determine the attribute information of the target file in the current running container, avoids detecting the integrity of the modified file in the container, and effectively improves the detection efficiency of the target file in the container.

Fig. 3 is a schematic structural diagram of a document detecting device according to another embodiment of the present invention. As shown in fig. 3, the apparatus includes: a container detection module 310, an attribute information acquisition module 320, and a target file detection module 330. Wherein the content of the first and second substances,

a container detection module 310 for detecting a container currently in operation;

an attribute information obtaining module 320, configured to obtain attribute information of a target file in the container, and compare the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

and the target file detection module 330 is configured to determine that the target file is modified when it is determined that file information matching the attribute information does not exist in the file database.

The file detection device provided by the embodiment of the invention detects the container which is currently running; acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container; when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified. By the technical scheme provided by the embodiment of the invention, whether the target file in the running container is modified or not can be effectively monitored, and the safety of the container is ensured.

Optionally, the attribute information obtaining module is configured to:

determining path information based on a preset blacklist rule;

searching a target file in the container based on the path information;

and determining the attribute information of the target file.

Optionally, the apparatus further comprises:

the target mirror image determining module is used for determining a target mirror image for starting the container before comparing the attribute information with a file database;

and the file database construction module is used for acquiring the file information of each file in the target mirror image and constructing the file database based on the file information.

Optionally, the apparatus further comprises:

the file monitoring module is used for monitoring whether the files in the container change or not before acquiring the attribute information of the target files in the container;

the attribute information acquisition module is configured to:

and when the file in the container is monitored to be changed, acquiring the attribute information of the target file in the container.

Optionally, the apparatus further comprises:

and the alarm module is used for carrying out alarm operation on the target file based on the attribute information after the target file is determined to be modified.

Optionally, the attribute information includes at least one of content of the file, modification time of the file, authority of the file, owner of the file, and path of the file.

Optionally, the object file includes a system configuration file and/or a system executable file.

The device can execute the methods provided by all the embodiments of the invention, and has corresponding functional modules and beneficial effects for executing the methods. For technical details which are not described in detail in the embodiments of the present invention, reference may be made to the methods provided in all the aforementioned embodiments of the present invention.

Embodiments of the present invention also provide a storage medium containing computer-executable instructions, which when executed by a computer processor, perform a file detection method, the method including:

detecting a container currently in operation;

acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container;

when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified.

Storage medium-any of various types of memory devices or storage devices. The term "storage medium" is intended to include: mounting media such as CD-ROM, floppy disk, or tape devices; computer system memory or random access memory such as DRAM, DDRRAM, SRAM, EDORAM, Lanbas (Rambus) RAM, etc.; non-volatile memory such as flash memory, magnetic media (e.g., hard disk or optical storage); registers or other similar types of memory elements, etc. The storage medium may also include other types of memory or combinations thereof. In addition, the storage medium may be located in a first computer system in which the program is executed, or may be located in a different second computer system connected to the first computer system through a network (such as the internet). The second computer system may provide program instructions to the first computer for execution. The term "storage medium" may include two or more storage media that may reside in different locations, such as in different computer systems that are connected by a network. The storage medium may store program instructions (e.g., embodied as a computer program) that are executable by one or more processors.

Of course, the storage medium provided by the embodiment of the present invention includes computer-executable instructions, and the computer-executable instructions are not limited to the file detection operation described above, and may also perform related operations in the file detection method provided by any embodiment of the present invention.

The embodiment of the invention provides a server, and the server can be integrated with the file detection device provided by the embodiment of the invention. Fig. 4 is a block diagram of a server according to an embodiment of the present invention. The server 400 may include: a memory 401, a processor 402 and a computer program stored on the memory 401 and executable by the processor, wherein the processor 402 implements the file detection method according to the embodiment of the present invention when executing the computer program.

The server provided by the embodiment of the invention detects the container which is currently running; acquiring attribute information of a target file in the container, and comparing the attribute information with a file database; the file database comprises file information of each file in a target mirror image, and the target mirror image is a mirror image for starting the container; when it is determined that the file information matching the attribute information does not exist in the file database, it is determined that the target file is modified. By the technical scheme provided by the embodiment of the invention, whether the target file in the running container is modified or not can be effectively monitored, and the safety of the container is ensured.

The file detection device, the storage medium and the server provided in the above embodiments can execute the file detection method provided in any embodiment of the present invention, and have corresponding functional modules and beneficial effects for executing the method. For technical details that are not described in detail in the above embodiments, reference may be made to a file detection method provided in any embodiment of the present invention.

It is to be noted that the foregoing is only illustrative of the preferred embodiments of the present invention and the technical principles employed. It will be understood by those skilled in the art that the present invention is not limited to the particular embodiments described herein, but is capable of various obvious changes, rearrangements and substitutions as will now become apparent to those skilled in the art without departing from the scope of the invention. Therefore, although the present invention has been described in greater detail by the above embodiments, the present invention is not limited to the above embodiments, and may include other equivalent embodiments without departing from the spirit of the present invention, and the scope of the present invention is determined by the scope of the appended claims.