以基於系統調用的容器異常檢測提升虛擬化安全性

以作者查詢圖書館館藏

、以作者查詢臺灣博碩士

、以作者查詢全國書目

、勘誤回報

、線上人數：11

、訪客IP：18.118.152.191

姓名

許博凱(Po-Kai Hsu) 查詢紙本館藏

畢業系所

資訊工程學系在職專班

論文名稱

以基於系統調用的容器異常檢測提升虛擬化安全性
(Enhancing Virtualization Security through System Call-based Anomaly Detection in Containers)

相關論文

★ Dynamic Overlay Construction for Mobile Target Detection in Wireless Sensor Networks	★ 車輛導航的簡易繞路策略
★ 使用傳送端電壓改善定位	★ 利用車輛分類建構車載網路上的虛擬骨幹
★ Why Topology-based Broadcast Algorithms Do Not Work Well in Heterogeneous Wireless Networks?	★ 針對移動性目標物的有效率無線感測網路
★ 適用於無線隨意網路中以關節點為基礎的分散式拓樸控制方法	★ A Review of Existing Web Frameworks
★ 將感測網路切割成貪婪區塊的分散式演算法	★ 無線網路上Range-free的距離測量
★ Inferring Floor Plan from Trajectories	★ An Indoor Collaborative Pedestrian Dead Reckoning System
★ Dynamic Content Adjustment In Mobile Ad Hoc Networks	★ 以影像為基礎的定位系統
★ 大範圍無線感測網路下分散式資料壓縮收集演算法	★ 車用WiFi網路中的碰撞分析

檔案

[Endnote RIS 格式]

[Bibtex 格式]

[相關文章]

[文章引用]

[完整記錄]

[館藏目錄]

[檢視]

[下載]

本電子論文使用權限為同意立即開放。
已達開放權限電子全文僅授權使用者為學術研究之目的，進行個人非營利性質之檢索、閱讀、列印。
請遵守中華民國著作權法之相關規定，切勿任意重製、散佈、改作、轉貼、播送，以免觸法。

摘要(中)

在微服務架構盛行的當代，容器化應用程序面臨著前所未有的安全挑戰。本研究提出一種容器安全解決方案，主要透過監控與分析系統調用序列，對微服務容器的行為進行異常檢測。為了實現此目標，我們創建了一種專門收集微服務架構下容器行為的新資料集，名為遃遃遯遅遄。我們設計的解決方案架構包含了多個核心組件，包括系統調用監視器、資料庫和儀表板、解析器，以及異常檢測模型。其中，我們專注於利用機器學習技術，特別是無監督學習的自動編碼器，以增強對未知漏洞的偵測能力。此解決方案亦充分利用了容器化技術的優勢，確保其具備簡易性、可擴展性、易於採用和高度自動化等特點。我們的評估方法主要針對誤報率和平均檢測時間進行分析。實驗結果顯示，大部分容器的攻擊檢測表現達到預期。然而，有一個子集群的檢測時間略長，介於進逰逰至逳逰逰秒之間。我們對此提出了假設，認為漏洞的內在複雜性可能是影響檢測時間的主要因素。總的來說，本研究的成果為提升容器安全性提供了重要的指引，將有助於進一步完善微服務安全領域的研究。

摘要(英)

In the current era where microservice architecture is prevalent, containerized applications are facing unprecedented security challenges. This research proposes a container security solution, mainly through the monitoring and analysis of system call sequences, to detect anomalies in the behavior of microservice containers. To achieve this goal, we created a new dataset specifically designed to collect behavior of containers under the microservice architecture, named CCoED.The framework of our proposed solution includes multiple core components, such as system call monitors, databases and dashboards, parsers, and an anomaly detection model. Among them, we focus on utilizing machine learning techniques, specifically unsupervised learning via autoencoders, to enhance the detection capability of unknown vulnerabilities. This solution also takes full advantage of the benefits of containerization technology, ensuring simplicity, scalability, ease of adoption, and a high degree of automation.Our evaluation methodology primarily focuses on the analysis of false alarm rate and average detection time. Experimental results show that the attack detection performance of most containers meets expectations. However, the detection time of one subset is slightly longer, ranging between 200 to 300 seconds. We hypothesize that the intrinsic complexity of vulnerabilities may be the main factor influencing detection time.In summary, the findings of this research provide important guidelines for enhancing container security, and will contribute to further refinement of research in the field of microservice security.

關鍵字(中)

★ 容器
★ 虛擬化安全
★ 入侵偵測系統
★ Falco
★ Docker

關鍵字(英)

★ container
★ virtualization security
★ Intrusion detection system
★ Falco
★ Docker

論文目次

中文摘要......I
Abstract......II
誌謝......III
表目錄......VI
圖目錄......VII
第一章緒論......1
1-1.研究動機......1
第二章文獻探討......4
2-1.容器威脅矩陣......4
2-1.1 鏡像威脅......4
2-1.2 運行風險......5
2-1.3 容器突破......5
2-2.基於系統調用的安全策略......6
2-2.1 使用Seccomp的解決方案......6
2-2.2 入侵檢測系統......6
第三章環境置與資料集......8
3-1.環境設置......8
3-2. 資料收集......9
3-3.攻擊概述......11
第四章研究方法與計......12
4-1.概述......12
4-2.系統調用監控......13
4-3.資料庫與儀表板......15
4-4.解析器......16
4-5.自動編碼器......18
第五章實驗與討論......20
5-1.攻擊檢測......21
5-2.誤報率......22
5-3.平均偵測時間......23
第六章結論與作......26
參考文獻......27

參考文獻

［1］ADFA-LD.https://research.unsw. edu.au/projects/adfa-ids-datasets. Accessed: 2022-06-04.
[2] Aqua-Container Monitor. https://www.aquasec.com/cloud-native-academy/docker-container/container-monitoring/. Accessed: 2022-06-28.
[3] Aqua-Container Security. https ://www.aquasec.com/cloud-native-academy/container-security/container-security/. Accessed : 2022-06-28.
[4] Attack Vector. https://github.com/boson13579/Container-breakout/tree/master/Vulnapp. Accessed: 2022-06-28.
[5] Containers Threats Matrix. https://attack.mitre.org/matrices/enterprise/containers/. Accessed : 2022-06-28.
[6] CVE. https : //cve.mitre.org/. Accessed : 2022-06-04.
[7] Docker Compose.https://https://docs.docker.com/compose/.
Accessed : 2022-06-04.
[8] Docker Hub.https://hub.docker.com/search?q-&type=image.
2022-06-28.
[9] Docker Security. https://www.docker.com/blog/. Accessed: 2022-06-28.
[10] Falco. https://github.com/falcosecurity/falco. Accessed: 2022-06-04.
[11] Falco Event. https://falco.org/docs /reference/rules/supported-events.
Accessed: 2022-06-04.
[12] Falco Rules. bttps://falco.org/docs/rules/controlling-ruiles/. Accessed:
2022-06-04.
[13] Jason.
https://www.oracle.com/tw/database/what-is-json/.Accessed:
2022-06-04.
[14] KDD. ht tps://www.unb.ca/cic/datasets/ns1.html. Accessed:2022-06-04.
[15] kibana. https://www.elastic.co/kibana/.Accessed: 2022-06-04.
[16] namespace. https://man7.org/linux/man-pages/man7/namespaces.7.html.
Accessed: 2022-06-28.
(17 seccomp. https://man7.org/linux/man-pages/man2/seccomp.2.html. Accessed: 2022-06-28.
[18] Stackoverflow. https://survey.stackoverflow.co/2022/. Accessed :2022-06-28.
[19] The Great Escape: A Blast Radius Analysis of Container Altacks. https://blog.aquasec.com/container-attack-surface-analysis. Accessed: 2022-06-28.
[20] UNM. https://digitalreposi tory. unm.edu/data/. Accessed:2022-06-04.
[21] VulnApps. https://vulapps.evalbug.com /. Accessed: 2022-06-04.
[22] what is docker.https://www.docker.com/resources/what-container/. Accessed: 2022-06-28.
[23] Amr S Abed, T Charles Clancy, and David S Levy. Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 20I5 JEEE
globecom workshops (GC Wkshps). pages 1-5. JEEE, 2015.
[24]David Bernstein. Containers and cloud: From Ixc to docker to kubernetes. IEEE cloud computing,1(3):81-84,2014.
[25] Andrea Borghesi, Andrea Bartolini, Michele Lombardi, Michela Milano, and Luca Benini. Anomaly detection using autoencoders in high performance computing systems.In
Proceedings of the AAAI Conference on artificial intelligence, volume 33, pag 9428-9433,2019.
[26] Alessandro Epasto, Mohammad Mahdian, Vahab Mirrokni, and Peilin Zhong. Improved sliding window algorithms for clustering and coverage via bucketing-based sketches.
In Proceedings of the 2022 Annual ACM-SIAM Symposium on Discrete Algorithms(SODA), pages 3005-3042. SIAM, 2022.
[27] Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. The evolution of system-call monitoring. In 2008 annual computer security applications conference (acsac), pages
418-430. IEEE, 2008.
[28] Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. Confine: Automated system call policy generation for container attack surface reduction.
In 23rd International Symposium on Research in Attacks. Intrusions and Defenses (RAID 2020). pages 443-458, 2020.
[29] Mohammad Mahdi Ghorbani, Fereydoun Farrahi Moghaddam, Mengyuan Zhang, Makan Pourzandi. Kim Khoa Nguyen, and Mohamed Cheriet. Malchain: Virtual application behaviour profiling by aggregated microservice data exchange graph. In
2020 IEEE International Conference on Cloud Computing Technology and Science
(CloudCom), pages 41-48. IEEE, 2020.
[30] Alfansa Lacovazzi and Shahid Raza. Ensemble of random and isolation for graph-based intrusion detection in containers. In 2022 JEEE International Conference
on Cyber Security and Resilience (CSR), pages 30-37. IEEE, 2022.
[31] Omar Javed and Salman Toor. An evaluation of container security vulnerabiliry detection tools. In Proceedings of the 2021 5th International Conference on Cloud an
Computing, pages 95-101, 2021.
[32] Manjit Kaur, Manish Raj, and Heung-No Lee. Cross channel scripting and attacks on web and cloud-based applications:a comprehensive review. Sensors, 22(5):1959,2022.
[33] Songsong Liu Pengbin Feng, and Kun Sun. Honceybog: A hybrid webshe mework against command injection. In 2021 IEEE Conference on Communications
and Network Security (CNS), pages 218-226. IEEE, 2021.
[34] Rui Shu. Xiaohui Gu. and William Enck. A study of security vulnerabilitie on docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application
Securiry and Privacy, pages 269-280, 2017.
[35] Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. Container security: Issues. chal-lenges, and the road ahead. JEEE access. 7:52976-52996. 2019.
[36] Sari Sultian, Imtiaz Ahmad, and Tasses Dimitriou. Containet security: Issues, chal-
lenges. and the road ahead. !EEE access. 7:52976-52996. 2019
[37] Yifan Tian. Jiabao Wing, Zhenji Zhou, and Shengli Zhou Cun-webshell hell delection with cenvetutionaI neural network. In Proceedings of the 2017 VI International Conference on Nerwork, Communication and Computing, pages 75-79,2017.
[38] Guan-Yu Wang, Hung-Jui Ko, Min-Yi Tsai, and Wei-Jen Wang. Module architecture of docker image and container security. In New Trends in Computer Technologies and
Applications: 25th International Computer Symposium, ICS 2022, Taoyuan, Taiwan, December 15-17, 2022, Proceedings, pages 661-669. Springer, 2023.
[39] Katrine Wist, Malene Helsem, and Danilo Gligoroski. Vulnerability analysis of 2500 docker hub images. In Advances in Security. Networks, and Internet of Things: Pro-
ceedings from SAM′20, ICWN′20, ICOMP′ 20, and ESCS′20, pages 307-327. Springer,2021.
[40] Nanzi Yang, Wenbo Shen. Jinku Li, Yutian Yang. Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, et al. Demons in the shared kernel: Abstract resource attacks against os-level virtualization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 764-778,2021.
[41] Stefano Zanero and Sergio M Savaresi. Unsupervised learning techniques for an in-trusion detection system. In Proceedings of the 2004 ACM symposium on Applied computing.pages 412-419,2004.

指導教授

孫敏德(Min-Te Sun)

審核日期

2023-7-15

推文