隨著微服務架構(Microservices Architecture)與容器技術日益普及,主流的容器編排平台Kubernetes 雖提供多種安全模組,仍因其高度互通的網路架構與權限設定常遭錯誤設置,導致橫向移動攻擊(Lateral Movement)的風險攀升。本論文提出 Lateral Movement Mitigation(LMM)之機制,整合事件追蹤、風險評估(Risk Assessment)與強化學習(Reinforcement Learning,RL),以強化 Kubernetes 應對橫向移動攻擊的能力。LMM 利用搭配自定義規則的 Falco 擷取容器事件資料,並以為基礎高階馬可夫鏈(High-Order Markov Chain)建構轉移矩陣(Transition Probability Matrix)估算容器指令序列的轉移機率(Transition Probability)以作風險評估,進一步作為 RL 代理之輸入狀態。RL 代理採用根據 MITRE ATT&CK 緩解建議設計的緩解行動,如套用 NetworkPolicy、減少 Service Account 權限或套用 Pod Security Admission(PSA)規則,以動態增強 Kubernetes 之內建安全模組。實驗結果顯示,LMM 在命名空間繞道攻擊中Accuracy 較 Warp 提升 24.73%,F1-score 較 ADA 提升 29.09%;在 RBAC 錯誤設置情境中則分別較 Warp 提升 21.61% 與 31.51%。在緩解所需時間上,LMM 採取的行動中最快可減少 Warp 98.54% 與 ADA 98.38%,展現高效且具即時性的緩解能力。綜上所述,LMM 結合即時追蹤、風險評估與自動決策,提供一套兼具效率與準確性的 Kubernetes 橫向移動攻擊主動防禦解決方案。;With the growing adoption of microservices architecture and container technologies, Kubernetes—while offering a variety of built-in security modules—remains vulnerable to lateral movement due to its highly interconnected network architecture and frequent misconfigurations in permission settings. This study proposes the Lateral Movement Mitigation (LMM) mechanism, which integrates event tracking, risk assessment, and reinforcement learning (RL) to enhance Kubernetes′ defense against lateral movement. LMM leverages Falco with custom rules to capture container-level event data and utilizes a high-order Markov chain to construct a transition probability matrix for estimating the likelihood of command sequences. These transition probabilities are then used for risk assessment and provided as input states to the RL agent. The RL agent selects mitigation actions—such as applying NetworkPolicy, reducing Service Account privileges, or enforcing Pod Security Admission (PSA) rules—based on recommendations from the MITRE ATT&CK framework, thereby dynamically strengthening Kubernetes′ native security modules. Experiments show that LMM improves accuracy by 24.73% over Warp and F1-score by 29.09% over ADA in the Kubernetes namespace bypass scenario. In the RBAC misconfiguration scenario, LMM outperforms Warp by 21.61% in accuracy and 31.51% in F1-score. In terms of mitigation latency, LMM achieves up to 98.54% and 98.38% faster response times compared to Warp and ADA, respectively, demonstrating its effectiveness and real-time responsiveness. In summary, LMM combines real-time monitoring, risk modeling, and automated decision-making to deliver an efficient and accurate proactive defense solution against lateral movement in Kubernetes.
