Highly-Scalable Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Kitahara, Hirokuni; Gajananan, Kugamoorthy; Watanabe, Yousuke

doi:10.1109/bigdata50022.2020.9377815

Cited by 7 publications

(2 citation statements)

References 8 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…In file integrity protection, monitoring system changes is a major approach, and is used to detect changes and determine whether they are anomalous. Jin et al [27] and Zlatkovski et al [33] proposed an approach to detect mutations on the basis of rules and Kitahara et al [28] proposed a mechanism to filter out default behavioral events in containers and detect mutation events that are anomalous. Commercial products for file integrity protection also exist, for instance, Solarwinds's Security Event Manager [21], Qualys's File Integrity Monitoring [23], Trustwave's Endpoint Protection [22], and Tripwire [24].…”

Section: Related Workmentioning

confidence: 99%

Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification

Kudo

Kitahara

Gajananan

et al. 2022

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

The integrity of the cloud is the most important requirement for mission-critical enterprise workloads. NIST SP 800-53 states that information systems must prevent the installation of any components that have not been verified digitally. On a Kubernetes cluster, the admission controller can control requests for application installations, and it would be a powerful protection tool if it could control requests for Kubernetes resources on the basis of signature verification. However, there are various technical challenges when it comes to verifying the signature for a Kubernetes resource at the admission controller because a signed resource is rewritten automatically by internal cluster work and many requests that include an internal mutation without a signature are generated. In this work, we propose an approach to protect the integrity of a Kubernetes resource with signature verification at the admission controller. Our approach addresses the issue that the differences between the signed resource in the admission request and the signature message occur automatically in Kubernetes and conducts signature verification properly by using DryRun. We also propose a profile framework to address the internal mutation request that cannot be attached to the signature. Our experimental results demonstrate that standard applications can be protected by our approach.

show abstract

Section: Related Workmentioning

confidence: 99%

Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification

Kudo

Kitahara

Gajananan

et al. 2022

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

show abstract

“…In this paper, we propose a novel approach for highly scalable container integrity monitoring using system call monitoring [8]. We do not rely on any predefined allowlist configuration, i.e., no prior knowledge about container image for creating container.…”

Section: Introductionmentioning

confidence: 99%

Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Kitahara

Gajananan

Watanabe

2021

Journal of Information Processing

Self Cite

View full text Add to dashboard Cite

Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation.

show abstract

Access Security Policy Generation for Containers as a Cloud Service

Zhu,

Gehrmann,

Roth

2023

SN COMPUT. SCI.

View full text Add to dashboard Cite

The rapid development of containerization technology comes with remarkable benefits for developers and operation teams. Container solutions allow building very flexible software infrastructures. Although lots of efforts have been devoted to enhancing containerization security, containerized environments still have a huge attack surface. Completely avoiding severe security issues have so far not been possible to achieve. However, the security problems due to vulnerabilities in for instance kernels, can be largely reduced if the container privileges are as restricted as possible. Mandatory access control is an efficient way to achieve this using for instance AppArmor. As manual AppArmor generation is tedious and error prone, automatic generation of protection profile is necessary. In previous research, a new tool for tight AppArmor profile generation was presented. In this paper we show how, in a system setting, such tool can be combined with container service testing, to provide a cloud based container service for automatic AppArmore profile generation. We present solutions for profile generation both for centrally collected and generated container logs and for log collection through a local agent. To evaluate the effectiveness of the profile generation service, we enable it on a widely used containerized web service to generate profiles and test them with real-world attacks. We generate an exploit database with 11 exploits harmful to the tested web service. These exploits are sifted from the 56 exploits of Exploit-db targeting the tested web service’s software. We launch these exploits on the web service protected by the profile. The results show that the proposed profile generation service improves the test web service’s overall security a lot compared to using the default Docker security profile. This together with the very user friendly and robust principle for setting up and running the service, clearly indicates that the approach is an important step for improving container security in real deployments.

show abstract

Highly-Scalable Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Cited by 7 publications

References 8 publications

Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification

Application Integrity Protection on Kubernetes cluster based on Manifest Signature Verification

Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster

Access Security Policy Generation for Containers as a Cloud Service

Contact Info

Product

Resources

About