摘要(英) |
In the current era where microservice architecture is prevalent, containerized applications are facing unprecedented security challenges. This research proposes a container security solution, mainly through the monitoring and analysis of system call sequences, to detect anomalies in the behavior of microservice containers. To achieve this goal, we created a new dataset specifically designed to collect behavior of containers under the microservice architecture, named CCoED.The framework of our proposed solution includes multiple core components, such as system call monitors, databases and dashboards, parsers, and an anomaly detection model. Among them, we focus on utilizing machine learning techniques, specifically unsupervised learning via autoencoders, to enhance the detection capability of unknown vulnerabilities. This solution also takes full advantage of the benefits of containerization technology, ensuring simplicity, scalability, ease of adoption, and a high degree of automation.Our evaluation methodology primarily focuses on the analysis of false alarm rate and average detection time. Experimental results show that the attack detection performance of most containers meets expectations. However, the detection time of one subset is slightly longer, ranging between 200 to 300 seconds. We hypothesize that the intrinsic complexity of vulnerabilities may be the main factor influencing detection time.In summary, the findings of this research provide important guidelines for enhancing container security, and will contribute to further refinement of research in the field of microservice security. |
參考文獻 |
[1]ADFA-LD.https://research.unsw. edu.au/projects/adfa-ids-datasets. Accessed: 2022-06-04.
[2] Aqua-Container Monitor. https://www.aquasec.com/cloud-native-academy/docker-container/container-monitoring/. Accessed: 2022-06-28.
[3] Aqua-Container Security. https ://www.aquasec.com/cloud-native-academy/container-security/container-security/. Accessed : 2022-06-28.
[4] Attack Vector. https://github.com/boson13579/Container-breakout/tree/master/Vulnapp. Accessed: 2022-06-28.
[5] Containers Threats Matrix. https://attack.mitre.org/matrices/enterprise/containers/. Accessed : 2022-06-28.
[6] CVE. https : //cve.mitre.org/. Accessed : 2022-06-04.
[7] Docker Compose.https://https://docs.docker.com/compose/.
Accessed : 2022-06-04.
[8] Docker Hub.https://hub.docker.com/search?q-&type=image.
2022-06-28.
[9] Docker Security. https://www.docker.com/blog/. Accessed: 2022-06-28.
[10] Falco. https://github.com/falcosecurity/falco. Accessed: 2022-06-04.
[11] Falco Event. https://falco.org/docs /reference/rules/supported-events.
Accessed: 2022-06-04.
[12] Falco Rules. bttps://falco.org/docs/rules/controlling-ruiles/. Accessed:
2022-06-04.
[13] Jason.
https://www.oracle.com/tw/database/what-is-json/.Accessed:
2022-06-04.
[14] KDD. ht tps://www.unb.ca/cic/datasets/ns1.html. Accessed:2022-06-04.
[15] kibana. https://www.elastic.co/kibana/.Accessed: 2022-06-04.
[16] namespace. https://man7.org/linux/man-pages/man7/namespaces.7.html.
Accessed: 2022-06-28.
(17 seccomp. https://man7.org/linux/man-pages/man2/seccomp.2.html. Accessed: 2022-06-28.
[18] Stackoverflow. https://survey.stackoverflow.co/2022/. Accessed :2022-06-28.
[19] The Great Escape: A Blast Radius Analysis of Container Altacks. https://blog.aquasec.com/container-attack-surface-analysis. Accessed: 2022-06-28.
[20] UNM. https://digitalreposi tory. unm.edu/data/. Accessed:2022-06-04.
[21] VulnApps. https://vulapps.evalbug.com /. Accessed: 2022-06-04.
[22] what is docker.https://www.docker.com/resources/what-container/. Accessed: 2022-06-28.
[23] Amr S Abed, T Charles Clancy, and David S Levy. Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 20I5 JEEE
globecom workshops (GC Wkshps). pages 1-5. JEEE, 2015.
[24]David Bernstein. Containers and cloud: From Ixc to docker to kubernetes. IEEE cloud computing,1(3):81-84,2014.
[25] Andrea Borghesi, Andrea Bartolini, Michele Lombardi, Michela Milano, and Luca Benini. Anomaly detection using autoencoders in high performance computing systems.In
Proceedings of the AAAI Conference on artificial intelligence, volume 33, pag 9428-9433,2019.
[26] Alessandro Epasto, Mohammad Mahdian, Vahab Mirrokni, and Peilin Zhong. Improved sliding window algorithms for clustering and coverage via bucketing-based sketches.
In Proceedings of the 2022 Annual ACM-SIAM Symposium on Discrete Algorithms(SODA), pages 3005-3042. SIAM, 2022.
[27] Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. The evolution of system-call monitoring. In 2008 annual computer security applications conference (acsac), pages
418-430. IEEE, 2008.
[28] Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. Confine: Automated system call policy generation for container attack surface reduction.
In 23rd International Symposium on Research in Attacks. Intrusions and Defenses (RAID 2020). pages 443-458, 2020.
[29] Mohammad Mahdi Ghorbani, Fereydoun Farrahi Moghaddam, Mengyuan Zhang, Makan Pourzandi. Kim Khoa Nguyen, and Mohamed Cheriet. Malchain: Virtual application behaviour profiling by aggregated microservice data exchange graph. In
2020 IEEE International Conference on Cloud Computing Technology and Science
(CloudCom), pages 41-48. IEEE, 2020.
[30] Alfansa Lacovazzi and Shahid Raza. Ensemble of random and isolation for graph-based intrusion detection in containers. In 2022 JEEE International Conference
on Cyber Security and Resilience (CSR), pages 30-37. IEEE, 2022.
[31] Omar Javed and Salman Toor. An evaluation of container security vulnerabiliry detection tools. In Proceedings of the 2021 5th International Conference on Cloud an
Computing, pages 95-101, 2021.
[32] Manjit Kaur, Manish Raj, and Heung-No Lee. Cross channel scripting and attacks on web and cloud-based applications:a comprehensive review. Sensors, 22(5):1959,2022.
[33] Songsong Liu Pengbin Feng, and Kun Sun. Honceybog: A hybrid webshe mework against command injection. In 2021 IEEE Conference on Communications
and Network Security (CNS), pages 218-226. IEEE, 2021.
[34] Rui Shu. Xiaohui Gu. and William Enck. A study of security vulnerabilitie on docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application
Securiry and Privacy, pages 269-280, 2017.
[35] Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. Container security: Issues. chal-lenges, and the road ahead. JEEE access. 7:52976-52996. 2019.
[36] Sari Sultian, Imtiaz Ahmad, and Tasses Dimitriou. Containet security: Issues, chal-
lenges. and the road ahead. !EEE access. 7:52976-52996. 2019
[37] Yifan Tian. Jiabao Wing, Zhenji Zhou, and Shengli Zhou Cun-webshell hell delection with cenvetutionaI neural network. In Proceedings of the 2017 VI International Conference on Nerwork, Communication and Computing, pages 75-79,2017.
[38] Guan-Yu Wang, Hung-Jui Ko, Min-Yi Tsai, and Wei-Jen Wang. Module architecture of docker image and container security. In New Trends in Computer Technologies and
Applications: 25th International Computer Symposium, ICS 2022, Taoyuan, Taiwan, December 15-17, 2022, Proceedings, pages 661-669. Springer, 2023.
[39] Katrine Wist, Malene Helsem, and Danilo Gligoroski. Vulnerability analysis of 2500 docker hub images. In Advances in Security. Networks, and Internet of Things: Pro-
ceedings from SAM′20, ICWN′20, ICOMP′ 20, and ESCS′20, pages 307-327. Springer,2021.
[40] Nanzi Yang, Wenbo Shen. Jinku Li, Yutian Yang. Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, et al. Demons in the shared kernel: Abstract resource attacks against os-level virtualization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 764-778,2021.
[41] Stefano Zanero and Sergio M Savaresi. Unsupervised learning techniques for an in-trusion detection system. In Proceedings of the 2004 ACM symposium on Applied computing.pages 412-419,2004. |