PerfSPEC: Performance Profiling-based Proactive Security Policy Enforcement for Containers

Container environments provide cloud native applications with scalability, flexibility, and portable support. As a popular container orchestrator, Kubernetes facilitates automatic deployment and maintenance of a large number of containerized applications. However, potential misconfigurations, vulner...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on dependable and secure computing 2024-06, p.1-18
Hauptverfasser: Kermabon-Bobinnec, Hugo, Bagheri, Sima, GholipourChoubeh, Mahmood, Majumdar, Suryadipta, Jarraya, Yosr, Wang, Lingyu, Pourzandi, Makan
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:Container environments provide cloud native applications with scalability, flexibility, and portable support. As a popular container orchestrator, Kubernetes facilitates automatic deployment and maintenance of a large number of containerized applications. However, potential misconfigurations, vulnerabilities, or implementation flaws may empower attackers to exploit the Kubernetes cluster. Although existing solutions such as runtime security policy enforcement may prevent an attack, they can be inefficient in large scale container environments. In this paper, we propose a performance profiling-based proactive security policy enforcement solution, namely, PerfSPEC. First, we accelerate the proactivization of policies (which typically requires significant manual effort) by proposing to profile and rank existing policies according to their induced overhead. This allows us to better focus our efforts and greatly improve the overall response time (e.g., by 98% in contrast to less than 49%). Then, we address the performance limitations of existing solutions by leveraging learning-based approaches to predict future events and compute their verification results in advance. As a result, PerfSPEC achieves a viable response time (e.g., less than 10 ms in contrast to 600 ms with one of the most popular existing approaches) even for large container environments (up to 800 Pods).
ISSN:1545-5971
1941-0018
DOI:10.1109/TDSC.2024.3420712