Refining Security Monitoring Techniques for Container-Based Virtualisation Environments

Publicerad

Typ

Examensarbete för masterexamen

Modellbyggare

Tidskriftstitel

ISSN

Volymtitel

Utgivare

Sammanfattning

Context: Virtualisation is a vital part of many industries’ software deployment. When virtualisation became popular, it was more or less synonymous with virtual machines and hypervisors. Since then, a newer form of virtualisation has surged in popularity, containers. Containers provide improvements over traditional hyper visors in several aspects, with lower overhead and short boot and shutdown times often being referenced. Problem: However, due to the way containers operate, they do not achieve the same level of isolation, an essential attribute in security. Containers share kernel with the host and other containers running on the host. A shared kernel means the attack surface differs from hypervisors, causing an elevated need for proper monitoring and investigation of potential monitoring techniques for detecting attacks, threats or misbehaving containers. Objective: This study aims to understand what container monitoring techniques are available and how they operate. Moreover, it explores novel container monitoring techniques providing better efficiency and coverage of the STRIDE threat model. Approach: The first objective is realised by conducting a literature review using the snowballing approach. The second objective is realised by following the design science research methodology. Results: As a result, a container monitoring technique is created and refined over four iterations. This technique uses the Isolation Forest algorithm to detect anomalies in system call traces. The Isolation Forest algorithm enables unsupervised anomaly detection while providing multiple advantageous characteristics in terms of efficiency and detection. Evaluation: In order to evaluate and compare the proposed monitoring technique with other techniques, a framework is developed to support the use of different anomaly detection and feature extraction algorithms, streamlining the evaluation process. Conclusion: The resulting technique detects all attacks included in the evaluation while keeping an average FPR below 3%.

Beskrivning

Ämne/nyckelord

Computer, science, computer science, engineering, project, thesis, security, container, monitoring, anomaly detection

Citation

Arkitekt (konstruktör)

Geografisk plats

Byggnad (typ)

Byggår

Modelltyp

Skala

Teknik / material

Index

item.page.endorsement

item.page.review

item.page.supplemented

item.page.referenced