跳到主要內容

簡易檢索 / 詳目顯示

回結果列表
研究生: 許博凱
Po-Kai Hsu
論文名稱: 以基於系統調用的容器異常檢測提升虛擬化安全性
Enhancing Virtualization Security through System Call-based Anomaly Detection in Containers
指導教授: 孫敏德
Min-Te Sun
口試委員:
學位類別: 碩士
Master
系所名稱: 資訊電機學院 - 資訊工程學系在職專班
Executive Master of Computer Science & Information Engineering
論文出版年: 2023
畢業學年度: 111
語文別: 中文
論文頁數: 43
中文關鍵詞: 容器虛擬化安全入侵偵測系統FalcoDocker
外文關鍵詞: container, virtualization security, Intrusion detection system, Falco, Docker
相關次數: 點閱:8下載:0
分享至:
查詢本校圖書館目錄 查詢臺灣博碩士論文知識加值系統 勘誤回報

    • 在微服務架構盛行的當代,容器化應用程序面臨著前所未有的安全挑戰。本研究提出一種容器安全解決方案,主要透過監控與分析系統調用序列,對微服務容器的行為進行異常檢測。為了實現此目標,我們創建了一種專門收集微服務架構下容器行為的新資料集,名為遃遃遯遅遄。我們設計的解決方案架構包含了多個核心組件,包括系統調用監視器、資料庫和儀表板、解析器,以及異常檢測模型。其中,我們專注於利用機器學習技術,特別是無監督學習的自動編碼器,以增強對未知漏洞的偵測能力。此解決方案亦充分利用了容器化技術的優勢,確保其具備簡易性、可擴展性、易於採用和高度自動化等特點。我們的評估方法主要針對誤報率和平均檢測時間進行分析。實驗結果顯示,大部分容器的攻擊檢測表現達到預期。然而,有一個子集群的檢測時間略長,介於進逰逰至逳逰逰秒之間。我們對此提出了假設,認為漏洞的內在複雜性可能是影響檢測時間的主要因素。總的來說,本研究的成果為提升容器安全性提供了重要的指引,將有助於進一步完善微服務安全領域的研究。

    In the current era where microservice architecture is prevalent, containerized applications are facing unprecedented security challenges. This research proposes a container security solution, mainly through the monitoring and analysis of system call sequences, to detect anomalies in the behavior of microservice containers. To achieve this goal, we created a new dataset specifically designed to collect behavior of containers under the microservice architecture, named CCoED.The framework of our proposed solution includes multiple core components, such as system call monitors, databases and dashboards, parsers, and an anomaly detection model. Among them, we focus on utilizing machine learning techniques, specifically unsupervised learning via autoencoders, to enhance the detection capability of unknown vulnerabilities. This solution also takes full advantage of the benefits of containerization technology, ensuring simplicity, scalability, ease of adoption, and a high degree of automation.Our evaluation methodology primarily focuses on the analysis of false alarm rate and average detection time. Experimental results show that the attack detection performance of most containers meets expectations. However, the detection time of one subset is slightly longer, ranging between 200 to 300 seconds. We hypothesize that the intrinsic complexity of vulnerabilities may be the main factor influencing detection time.In summary, the findings of this research provide important guidelines for enhancing container security, and will contribute to further refinement of research in the field of microservice security.

    中文摘要......I Abstract......II 誌謝......III 表目錄......VI 圖目錄......VII 第一章 緒論......1 1-1.研究動機......1 第二章 文獻探討......4 2-1.容器威脅矩陣......4 2-1.1 鏡像威脅......4 2-1.2 運行風險......5 2-1.3 容器突破......5 2-2.基於系統調用的安全策略......6 2-2.1 使用Seccomp的解決方案......6 2-2.2 入侵檢測系統......6 第三章環境置與資料集......8 3-1.環境設置......8 3-2. 資料收集......9 3-3.攻擊概述......11 第四章研究方法與計......12 4-1.概述......12 4-2.系統調用監控......13 4-3.資料庫與儀表板......15 4-4.解析器......16 4-5.自動編碼器......18 第五章實驗與討論......20 5-1.攻擊檢測......21 5-2.誤報率......22 5-3.平均偵測時間......23 第六章結論與作......26 參考文獻......27

    [1]ADFA-LD.https://research.unsw. edu.au/projects/adfa-ids-datasets. Accessed: 2022-06-04.
    [2] Aqua-Container Monitor. https://www.aquasec.com/cloud-native-academy/docker-container/container-monitoring/. Accessed: 2022-06-28.
    [3] Aqua-Container Security. https ://www.aquasec.com/cloud-native-academy/container-security/container-security/. Accessed : 2022-06-28.
    [4] Attack Vector. https://github.com/boson13579/Container-breakout/tree/master/Vulnapp. Accessed: 2022-06-28.
    [5] Containers Threats Matrix. https://attack.mitre.org/matrices/enterprise/containers/. Accessed : 2022-06-28.
    [6] CVE. https : //cve.mitre.org/. Accessed : 2022-06-04.
    [7] Docker Compose.https://https://docs.docker.com/compose/.
    Accessed : 2022-06-04.
    [8] Docker Hub.https://hub.docker.com/search?q-&type=image.
    2022-06-28.
    [9] Docker Security. https://www.docker.com/blog/. Accessed: 2022-06-28.
    [10] Falco. https://github.com/falcosecurity/falco. Accessed: 2022-06-04.
    [11] Falco Event. https://falco.org/docs /reference/rules/supported-events.
    Accessed: 2022-06-04.
    [12] Falco Rules. bttps://falco.org/docs/rules/controlling-ruiles/. Accessed:
    2022-06-04.
    [13] Jason.
    https://www.oracle.com/tw/database/what-is-json/.Accessed:
    2022-06-04.
    [14] KDD. ht tps://www.unb.ca/cic/datasets/ns1.html. Accessed:2022-06-04.
    [15] kibana. https://www.elastic.co/kibana/.Accessed: 2022-06-04.
    [16] namespace. https://man7.org/linux/man-pages/man7/namespaces.7.html.
    Accessed: 2022-06-28.
    (17 seccomp. https://man7.org/linux/man-pages/man2/seccomp.2.html. Accessed: 2022-06-28.
    [18] Stackoverflow. https://survey.stackoverflow.co/2022/. Accessed :2022-06-28.
    [19] The Great Escape: A Blast Radius Analysis of Container Altacks. https://blog.aquasec.com/container-attack-surface-analysis. Accessed: 2022-06-28.
    [20] UNM. https://digitalreposi tory. unm.edu/data/. Accessed:2022-06-04.
    [21] VulnApps. https://vulapps.evalbug.com /. Accessed: 2022-06-04.
    [22] what is docker.https://www.docker.com/resources/what-container/. Accessed: 2022-06-28.
    [23] Amr S Abed, T Charles Clancy, and David S Levy. Applying bag of system calls for anomalous behavior detection of applications in linux containers. In 20I5 JEEE
    globecom workshops (GC Wkshps). pages 1-5. JEEE, 2015.
    [24]David Bernstein. Containers and cloud: From Ixc to docker to kubernetes. IEEE cloud computing,1(3):81-84,2014.
    [25] Andrea Borghesi, Andrea Bartolini, Michele Lombardi, Michela Milano, and Luca Benini. Anomaly detection using autoencoders in high performance computing systems.In
    Proceedings of the AAAI Conference on artificial intelligence, volume 33, pag 9428-9433,2019.
    [26] Alessandro Epasto, Mohammad Mahdian, Vahab Mirrokni, and Peilin Zhong. Improved sliding window algorithms for clustering and coverage via bucketing-based sketches.
    In Proceedings of the 2022 Annual ACM-SIAM Symposium on Discrete Algorithms(SODA), pages 3005-3042. SIAM, 2022.
    [27] Stephanie Forrest, Steven Hofmeyr, and Anil Somayaji. The evolution of system-call monitoring. In 2008 annual computer security applications conference (acsac), pages
    418-430. IEEE, 2008.
    [28] Seyedhamed Ghavamnia, Tapti Palit, Azzedine Benameur, and Michalis Polychronakis. Confine: Automated system call policy generation for container attack surface reduction.
    In 23rd International Symposium on Research in Attacks. Intrusions and Defenses (RAID 2020). pages 443-458, 2020.
    [29] Mohammad Mahdi Ghorbani, Fereydoun Farrahi Moghaddam, Mengyuan Zhang, Makan Pourzandi. Kim Khoa Nguyen, and Mohamed Cheriet. Malchain: Virtual application behaviour profiling by aggregated microservice data exchange graph. In
    2020 IEEE International Conference on Cloud Computing Technology and Science
    (CloudCom), pages 41-48. IEEE, 2020.
    [30] Alfansa Lacovazzi and Shahid Raza. Ensemble of random and isolation for graph-based intrusion detection in containers. In 2022 JEEE International Conference
    on Cyber Security and Resilience (CSR), pages 30-37. IEEE, 2022.
    [31] Omar Javed and Salman Toor. An evaluation of container security vulnerabiliry detection tools. In Proceedings of the 2021 5th International Conference on Cloud an
    Computing, pages 95-101, 2021.
    [32] Manjit Kaur, Manish Raj, and Heung-No Lee. Cross channel scripting and attacks on web and cloud-based applications:a comprehensive review. Sensors, 22(5):1959,2022.
    [33] Songsong Liu Pengbin Feng, and Kun Sun. Honceybog: A hybrid webshe mework against command injection. In 2021 IEEE Conference on Communications
    and Network Security (CNS), pages 218-226. IEEE, 2021.
    [34] Rui Shu. Xiaohui Gu. and William Enck. A study of security vulnerabilitie on docker hub. In Proceedings of the Seventh ACM on Conference on Data and Application
    Securiry and Privacy, pages 269-280, 2017.
    [35] Sari Sultan, Imtiaz Ahmad, and Tassos Dimitriou. Container security: Issues. chal-lenges, and the road ahead. JEEE access. 7:52976-52996. 2019.
    [36] Sari Sultian, Imtiaz Ahmad, and Tasses Dimitriou. Containet security: Issues, chal-
    lenges. and the road ahead. !EEE access. 7:52976-52996. 2019
    [37] Yifan Tian. Jiabao Wing, Zhenji Zhou, and Shengli Zhou Cun-webshell hell delection with cenvetutionaI neural network. In Proceedings of the 2017 VI International Conference on Nerwork, Communication and Computing, pages 75-79,2017.
    [38] Guan-Yu Wang, Hung-Jui Ko, Min-Yi Tsai, and Wei-Jen Wang. Module architecture of docker image and container security. In New Trends in Computer Technologies and
    Applications: 25th International Computer Symposium, ICS 2022, Taoyuan, Taiwan, December 15-17, 2022, Proceedings, pages 661-669. Springer, 2023.
    [39] Katrine Wist, Malene Helsem, and Danilo Gligoroski. Vulnerability analysis of 2500 docker hub images. In Advances in Security. Networks, and Internet of Things: Pro-
    ceedings from SAM'20, ICWN'20, ICOMP' 20, and ESCS'20, pages 307-327. Springer,2021.
    [40] Nanzi Yang, Wenbo Shen. Jinku Li, Yutian Yang. Kangjie Lu, Jietao Xiao, Tianyu Zhou, Chenggang Qin, Wang Yu, Jianfeng Ma, et al. Demons in the shared kernel: Abstract resource attacks against os-level virtualization. In Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security, pages 764-778,2021.
    [41] Stefano Zanero and Sergio M Savaresi. Unsupervised learning techniques for an in-trusion detection system. In Proceedings of the 2004 ACM symposium on Applied computing.pages 412-419,2004.

    QR CODE
    :::