Containers offer lightweight execution environments for implementing microservices or cloud-native applications. Owing to their ubiquitous diffusion jointly with the complex interplay of hardware, computing, and network resources, effectively enforcing container security is a difficult task. Specifically, runtime detection of threats poses many challenges since container images are often immutable, and many malware deploys obfuscation or elusive mechanisms. Therefore, in this work, we propose a deep-learning-based approach for identifying the presence of two containers colluding to covertly leak secret information. In more detail, we consider a threat actor trying to exfiltrate a 4,096-bit private TLS key via five different covert channels. To decide whether containers are colluding for leaking data, the deep learning model is fed with statistical indicators of the syscalls, which are built starting from simple counters. Results indicate the effectiveness of our approach, even if some adjustments are needed to reduce the number of false positives.
No Country for Leaking Containers: Detecting Exfiltration of Secrets Through AI and Syscalls
Zuppelli M.Primo
;Guarascio M.;Caviglione L.;Liguori A.
2024
Abstract
Containers offer lightweight execution environments for implementing microservices or cloud-native applications. Owing to their ubiquitous diffusion jointly with the complex interplay of hardware, computing, and network resources, effectively enforcing container security is a difficult task. Specifically, runtime detection of threats poses many challenges since container images are often immutable, and many malware deploys obfuscation or elusive mechanisms. Therefore, in this work, we propose a deep-learning-based approach for identifying the presence of two containers colluding to covertly leak secret information. In more detail, we consider a threat actor trying to exfiltrate a 4,096-bit private TLS key via five different covert channels. To decide whether containers are colluding for leaking data, the deep learning model is fed with statistical indicators of the syscalls, which are built starting from simple counters. Results indicate the effectiveness of our approach, even if some adjustments are needed to reduce the number of false positives.| File | Dimensione | Formato | |
|---|---|---|---|
|
2024_ARES.pdf
solo utenti autorizzati
Licenza:
NON PUBBLICO - Accesso privato/ristretto
Dimensione
1.78 MB
Formato
Adobe PDF
|
1.78 MB | Adobe PDF | Visualizza/Apri Richiedi una copia |
I documenti in IRIS sono protetti da copyright e tutti i diritti sono riservati, salvo diversa indicazione.
