Designing a Proactive Security Solution for Kubernetes Clusters

Abstract

Kubernetes cloud environments often contain security vulnerabilities exploitable during runtime, but undetected by the scanning tools widely used during build or deployment phases, due to the distributed and dynamic nature of containerized applications. Traditional reactive security approaches for detecting runtime exploits usually depend on manual intervention, causing delayed responses and unnecessary service disruptions because of false positives. This thesis develops and evaluates a proactive security solution for Kubernetes clusters, with particular focus on 5G core network environments. The proposed solution integrates multi-step attack detection with automated mitigation strategies to improve detection accuracy and response time. Using a labeled dataset of Falco alerts generated within a 5G core network by the ACE-WARP project, five statistical and machine learning models are developed and evaluated: Markov Chain, Hidden Markov Model, Long Short-Term Memory (LSTM), Convolutional Neural Network (CNN), and Bayesian Network. With each model, the likelihood of an attack sequence belonging to the normal or attack distributions is used for the binary classification task of identifying sequences containing attacks. All models are evaluated with both balanced (1:1) and imbalanced (1:50) class ratios. The LSTM and CNN models achieve the highest detection rate of 84.3 percent and the lowest false alarm rate of 0.02 percent under imbalanced settings. They maintain strong precision (average precision of 99.2 percent) and area under the curve (AUC-ROC of 96.2 percent), outperforming the baseline Markov Chain, other models, and prior work. Beyond identifying the best-performing models, this thesis also proposes mitigation techniques such as pod deletion for immediate isolation of threats and sandboxing for forensic analysis. These components form a complete security solution designed as a containerized microservice using Docker and exposed through a RESTful API, that can be applied to large Kubernetes clusters. Therefore, this design supports scalability, modularity, and compatibility requirements with industrial 5G core network deployments.