A Few to Unveil Them All: Leveraging Mixture of Experts on Minimal Data for Detecting Covert Channels in Containerized Cloud Infrastructures

Containers are fundamental to pursue the vision of cloud-native applications and implement frameworks taking advantage of the microservice paradigm. Owing to their rapid diffusion, understanding the security posture of containerized deployments is of prime importance. An aspect largely neglected concerns network covert channels, which can be used to implement advanced persistent threats or ex-filtrate sensitive data. Unfortunately, revealing the presence of parasitic information hidden in network traffic is a hard task often clashing with privacy, performance and scalability constraints. Therefore, this paper proposes to use a mixture of experts, i.e., deep neural models trained on local datasets that are combined to enhance the overall detection capabilities. Results obtained by considering covert communications targeting the TTL field of IPv4 traffic collected in realistic settings demonstrated the effectiveness of our approach.