| CPC G06F 21/54 (2013.01) [G06F 9/45545 (2013.01); G06F 9/45558 (2013.01); G06F 21/554 (2013.01); G06F 21/566 (2013.01); G06F 21/577 (2013.01); G06F 2009/45587 (2013.01); G06F 2009/45591 (2013.01)] | 20 Claims |
|
1. A method, comprising:
receiving information about a plurality of system calls from a monitored container of at least one container running on a host machine of a computing system, wherein the information comprises first system call information, second system call information, and third system call information, wherein the first system call information corresponds to a first system call used by a first process and comprises a first time associated with the first system call, wherein the second system call information corresponds to a second system call used by the first process and comprises a second time associated with the second system call, wherein the third system call information corresponds to a third system call used by the first process and comprises a third time associated with the third system call, and wherein the first time, the second time, and the third time are different times;
generating, based on the information, an occurrence order of the plurality of system calls according to the first time, the second time, and the third time;
matching, based on an escape detection rule, the occurrence order of the plurality of system calls with at least one group of preset system call orders, wherein the escape detection rule comprises the at least one group of preset system call orders; and
detecting, based on a result of the matching, whether the monitored container has escaped.
|