ACE-WARP: A Cost-Effective Approach to Proactive and Non-Disruptive Incident Response in Kubernetes Clusters

A large-scale cluster of containers managed with an orchestrator like Kubernetes are behind many cloud-native applications today. However, the weaker isolation provided by containers means attackers can potentially exploit a vulnerable container and then escape its isolation to cause more severe dam...

Ausführliche Beschreibung

Gespeichert in:
Bibliographische Detailangaben
Veröffentlicht in:IEEE transactions on information forensics and security 2024, Vol.19, p.8204-8219
Hauptverfasser: Bagheri, Sima, Kermabon-Bobinnec, Hugo, Kabir, Mohammad Ekramul, Majumdar, Suryadipta, Wang, Lingyu, Jarraya, Yosr, Nour, Boubakr, Pourzandi, Makan
Format: Artikel
Sprache:eng
Schlagworte:
Online-Zugang:Volltext bestellen
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
Beschreibung
Zusammenfassung:A large-scale cluster of containers managed with an orchestrator like Kubernetes are behind many cloud-native applications today. However, the weaker isolation provided by containers means attackers can potentially exploit a vulnerable container and then escape its isolation to cause more severe damages to the underlying infrastructure and its hosted applications. Defending against such an attack using existing attack detection solutions can be challenging. Due to the well known high false positive rate of such solutions, taking aggressive actions upon every alert can lead to unacceptable service disruption. On the other hand, waiting for security administrators to perform in-depth analysis and validation could render the mitigation too late to prevent irreversible damages. In this paper, we propose ACE-WARP, a cost-effective proactive and non-disruptive incident response to address such security challenges for Kubernetes clusters. First, our approach is proactive in the sense that it performs mitigation based on predicted (instead of real) attacks, which prevents irreversible damages. Second, our approach is also non-disruptive since the mitigation is achieved through live migration of containers, which causes no service disruption even in the case of false positives. Finally, to realize the full potential of this approach in containers migration, we formulate the inherent trade-off between security and cost (delay) as a multi-objective optimization problem. Our evaluation results show that ACE-WARP can successfully mitigate up to 81% of the attacks, and our optimization algorithm achieves up to 30% more threat reduction and 7% less delay while being 37 times faster compared to a standard optimization solution.
ISSN:1556-6013
1556-6021
DOI:10.1109/TIFS.2024.3449038