The use of containers in cloud computing has been steadily increasing. With the emergence of Kubernetes, the management of applications inside containers (or pods) is simplified. Kubernetes allows automated actions like self-healing, scaling, rolling back, and updates for the application management. At the same time, security threats have also evolved with attacks on pods to perform malicious actions. Out of several recent malware types, cryptomining has emerged as one of the most serious threats with its hijacking of server resources for cryptocurrency mining. During application deployment and execution in the pod, a cryptomining process, started by a hidden malware executable can be run in the background, and a method to detect malicious cryptomining software running inside Kubernetes pods is needed. One feasible strategy is to use machine learning (ML) to identify and classify pods based on whether or not they contain a running process of cryptomining. In addition to such detection, the system administrator will need an explanation as to the reason(s) of the ML's classification outcome. The explanation will justify and support disruptive administrative decisions such as pod removal or its restart with a new image. In this article, we describe the design and implementation of an ML-based detection system of anomalous pods in a Kubernetes cluster by monitoring Linux-kernel system calls (syscalls). Several types of cryptominers images are used as containers within an anomalous pod, and several ML models are built to detect such pods in the presence of numerous healthy cloud workloads. Explainability is provided using SHAP , LIME , and a novel auto-encoding-based scheme for LSTM models. Seven evaluation metrics are used to compare and contrast the explainable models of the proposed ML cryptomining detection engine.

/pdf/cryptomining-detection-in-container-clouds-using-system-3kzc4famfu.pdf

Cryptomining Detection in Container Clouds Using System Calls and Explainable Machine Learning

Cache Side Channel Attacks (SCAs) have gained a lot of attention in the recent past. Since, these attacks exploit the caching hardware vulnerabilities, they are fast and dangerous. Detection of cache side channel attacks is an important step towards mitigating against such hostile entities. Researchers have already proposed different techniques to detect cache side channel attacks. This paper provides a detailed survey of literature related to the state-of-the-art detection techniques for cache based side channel attacks. We identify a set of important characteristics that can be used to characterize a CSCA (cache side channel attack) detection technique. We use the identified features to compare and contrast the most important detection techniques and provide the important observations. We also identify some of the challenges that the research community will have to resolve in future to improve the efficiency of cache side channel detection techniques. To the best of our knowledge, this is the first work to do such a study. We believe that this paper will prove useful to researchers in the area of systems security.

/pdf/meet-the-sherlock-holmes-of-side-channel-leakage-a-survey-of-j0uotubhqk.pdf

Meet the Sherlock Holmes’ of Side Channel Leakage: A Survey of Cache SCA Detection Techniques

This paper presents ESCAPE, an informed moving target defense mechanism for cloud containers. ESCAPE models the interaction between attackers and their target containers as a "predator searching for a prey" search game. Live migration of Linux-containers (prey) is used to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate ESCAPE effectiveness, we simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. Simulation results show high container survival probabilities with minimal added overhead.

Toward Smart Moving Target Defense for Linux Container Resiliency

Containers have been widely adopted in production computing environments for its efficiency and low overhead of isolation. However, recent studies have shown that containerized applications are prone to various security attacks. Moreover, containerized applications are often highly dynamic and short-lived, which further exacerbates the problem. In this paper, we present CDL, a classified distributed learning framework to achieve efficient security attack detection for containerized applications. CDL integrates online application classification and anomaly detection to overcome the challenge of lacking sufficient training data for dynamic short-lived containers while considering diversified normal behaviors in different applications. We have implemented a prototype of CDL and evaluated it over 33 real world vulnerability attacks in 24 commonly used server applications. Our experimental results show that CDL can reduce the false positive rate from over 12% to 0.24% compared to traditional anomaly detection schemes without aggregating training data. By introducing application classification into container behavior learning, CDL can improve the detection rate from catching 20 attacks to 31 attacks before those attacks succeed. CDL is light-weight, which can complete application classification and anomaly detection for each data sample within a few milliseconds.

CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications

Nature is a major source of inspiration for many of the inventions that we rely on to maintain our daily lifestyle. In this paper, we present ESCAPE, an evolved version of our nature-inspired game-like informed moving-target-defense mechanism for cloud containers resiliency. ESCAPE rely on a novel container mobilization framework controlled by a smart attack maneuvering module. That module drives the running containers based on real-time models of the interaction between attackers and their targets as a "predator searching for a prey" search game. ESCAPE employs run-time live-migration of Linux-containers {prey} to avoid attacks (predator) and failures. The entire process is guided by a novel host-based behavior-monitoring system that seamlessly monitors containers for indications of intrusions and attacks. To evaluate the effect of ESCAPE's container live-migration evading attacks, we extensively simulated the attack avoidance process based on a mathematical model mimicking the prey-vs-predator search game. With ESCAPE's live-migrations, results show high container survival probabilities with minimal added overhead.

Smart Moving Target Defense for Linux Container Resiliency

In this paper, we present the results of using bags of system calls for learning the behavior of Linux containers for use in anomaly-detection based intrusion detection system. By using system calls of the containers monitored from the host kernel for anomaly detection, the system does not require any prior knowledge of the container nature, neither does it require altering the container or the host kernel.

Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers

Linux containers are gaining increasing traction in both individual and industrial use, and as these containers get integrated into mission-critical systems, real-time detection of malicious cyber attacks becomes a critical operational requirement. This paper introduces a real-time host-based intrusion detection system that can be used to passively detect malfeasance against applications within Linux containers running in a standalone or in a cloud multi-tenancy environment. The demonstrated intrusion detection system uses bags of system calls monitored from the host kernel for learning the behavior of an application running within a Linux container and determining anomalous container behavior. Performance of the approach using a database application was measured and results are discussed.

David S. Levy

Papers

Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers

Intrusion Detection System for Applications Using Linux Containers

Intrusion Detection System for Applications using Linux Containers

Applying Bag of System Calls for Anomalous Behavior Detection of Applications in Linux Containers