首页|一种面向大数据平台容器的轻量化安全防护方法

一种面向大数据平台容器的轻量化安全防护方法

扫码查看
容器又称Container,是一种基于轻量化的虚拟技术.轻量化特性使其在大数据平台中有广阔的应用前景,尤其在分布式机器学习方向,以Kubernetes和容器为核心的机器学习系统已逐渐成为行业标准.然而容器本身的安全问题,逐渐成为公众所关注的焦点.尤其如容器镜像安全、容器逃逸及提权、容器漏洞攻击及利用等问题成为了运营及维护人员在实际容器化过程中不得不面对的技术挑战.文章将系统分析容器技术在大数据平台中落地过程中所面临的具体安全问题,并结合实际的环境提供相应的轻量化安全防护技术.并设计了针对大量容器的镜像轻量化扫描方案,将容器镜像的扫描过程降到秒级;同时,针对大规模数据平台的容器监控方案,将监控的计算资源损耗(如CPU消耗)控制生产环境要求的10%以内;最后,这里设计的针对数据平台的容器网络监控方案,在不影响生产环境的业务条件下,能实现轻量化全流量监控.
A Lightweight Security Protection Method for Container on Big Data Platform
Container is a lightweight solution to deploy complex big-data application.Especially when Kubernetes,a novel con-tainer orchestrator,is involved,it makes possible to run a distributed big data application in a lightweight fashion.However,the security of containerized application becomes the focus of public,especially a set of container-targeted attacks have e-merged.These attacks include container escape,privilege escalation and remote exploits.It poses great challenges for all secur-ity practitioners.In this paper,we discuss the real-world challenges in deploying security tools along with big data application,and the method to make these tools run lightly in our production system.In particular,we design a lightweight container image scanning technique which reduces the scanning time to seconds-level.Also,we deploy a system monitoring scheme which limits the CPU usage down to~10%.Lastly,we propose a scheme for lightweight traffic monitoring.

container securitysecurity practice in big data systemintrusion detectioncontainer image security

周鑫、夏雨潇、王海峰、邓进

展开 >

国网大数据中心,北京 100052

南京南瑞信息通信科技有限公司,江苏,南京 210037

容器安全 大数据平台安全技术 攻击检测 容器镜像安全

国家电网大数据中心面向大数据平台容器的轻量化安全防护技术研究专项

52999020002Y

2024

微型电脑应用
上海市微型电脑应用学会

微型电脑应用

CSTPCD
影响因子:0.359
ISSN:1007-757X
年,卷(期):2024.40(2)
  • 7