Refining Security Monitoring Techniques for Container-Based Virtualisation Environments
Typ
Examensarbete för masterexamen
Program
Computer systems and networks (MPCSN), MSc
Publicerad
2021
Författare
Lindvärn, Marcus
Lundqvist, Zack
Modellbyggare
Tidskriftstitel
ISSN
Volymtitel
Utgivare
Sammanfattning
Context: Virtualisation is a vital part of many industries’ software deployment.
When virtualisation became popular, it was more or less synonymous with virtual
machines and hypervisors. Since then, a newer form of virtualisation has surged
in popularity, containers. Containers provide improvements over traditional hyper visors in several aspects, with lower overhead and short boot and shutdown times
often being referenced.
Problem: However, due to the way containers operate, they do not achieve the same
level of isolation, an essential attribute in security. Containers share kernel with the
host and other containers running on the host. A shared kernel means the attack
surface differs from hypervisors, causing an elevated need for proper monitoring and
investigation of potential monitoring techniques for detecting attacks, threats or
misbehaving containers.
Objective: This study aims to understand what container monitoring techniques are
available and how they operate. Moreover, it explores novel container monitoring
techniques providing better efficiency and coverage of the STRIDE threat model.
Approach: The first objective is realised by conducting a literature review using
the snowballing approach. The second objective is realised by following the design
science research methodology.
Results: As a result, a container monitoring technique is created and refined over four
iterations. This technique uses the Isolation Forest algorithm to detect anomalies
in system call traces. The Isolation Forest algorithm enables unsupervised anomaly
detection while providing multiple advantageous characteristics in terms of efficiency
and detection.
Evaluation: In order to evaluate and compare the proposed monitoring technique
with other techniques, a framework is developed to support the use of different
anomaly detection and feature extraction algorithms, streamlining the evaluation
process.
Conclusion: The resulting technique detects all attacks included in the evaluation
while keeping an average FPR below 3%.
Beskrivning
Ämne/nyckelord
Computer , science , computer science , engineering , project , thesis , security , container , monitoring , anomaly detection