Container escape detection method based on heterogeneous observation chain
Aiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were se...
Saved in:
| Main Authors: | , , , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Editorial Department of Journal on Communications
2023-01-01
|
| Series: | Tongxin xuebao |
| Subjects: | |
| Online Access: | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2023008/ |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1841540060491546624 |
|---|---|
| author | Yuntao ZHANG Binxing FANG Chunlai DU Zhongru WANG Zhijian CUI Shouyou SONG |
| author_facet | Yuntao ZHANG Binxing FANG Chunlai DU Zhongru WANG Zhijian CUI Shouyou SONG |
| author_sort | Yuntao ZHANG |
| collection | DOAJ |
| description | Aiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were selected as observation points.A heterogeneous observation method was proposed with “privilege escalation” as the detection criterion.Secondly, the kernel module was adopted to capture the attribute information of the process in real time, and the process provenance graph was constructed.The scale of the provenance graph was reduced through container boundary identification technology.Finally, a heterogeneous observation chain was built based on the process attribute information, and the prototype system HOC-Detector was implemented.The experiments show that HOC-Detector can successfully detect all container escapes using kernel vulnerabilities in the test dataset, and the increased runtime overhead is less than 0.8%. |
| format | Article |
| id | doaj-art-9d33c9eeca7a4b3787f349a8dffd155b |
| institution | Kabale University |
| issn | 1000-436X |
| language | zho |
| publishDate | 2023-01-01 |
| publisher | Editorial Department of Journal on Communications |
| record_format | Article |
| series | Tongxin xuebao |
| spelling | doaj-art-9d33c9eeca7a4b3787f349a8dffd155b2025-01-14T06:23:39ZzhoEditorial Department of Journal on CommunicationsTongxin xuebao1000-436X2023-01-0144496359388743Container escape detection method based on heterogeneous observation chainYuntao ZHANGBinxing FANGChunlai DUZhongru WANGZhijian CUIShouyou SONGAiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were selected as observation points.A heterogeneous observation method was proposed with “privilege escalation” as the detection criterion.Secondly, the kernel module was adopted to capture the attribute information of the process in real time, and the process provenance graph was constructed.The scale of the provenance graph was reduced through container boundary identification technology.Finally, a heterogeneous observation chain was built based on the process attribute information, and the prototype system HOC-Detector was implemented.The experiments show that HOC-Detector can successfully detect all container escapes using kernel vulnerabilities in the test dataset, and the increased runtime overhead is less than 0.8%.http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2023008/container escapekernel vulnerabilityopen provenance modelheterogeneous observation chain |
| spellingShingle | Yuntao ZHANG Binxing FANG Chunlai DU Zhongru WANG Zhijian CUI Shouyou SONG Container escape detection method based on heterogeneous observation chain Tongxin xuebao container escape kernel vulnerability open provenance model heterogeneous observation chain |
| title | Container escape detection method based on heterogeneous observation chain |
| title_full | Container escape detection method based on heterogeneous observation chain |
| title_fullStr | Container escape detection method based on heterogeneous observation chain |
| title_full_unstemmed | Container escape detection method based on heterogeneous observation chain |
| title_short | Container escape detection method based on heterogeneous observation chain |
| title_sort | container escape detection method based on heterogeneous observation chain |
| topic | container escape kernel vulnerability open provenance model heterogeneous observation chain |
| url | http://www.joconline.com.cn/zh/article/doi/10.11959/j.issn.1000-436x.2023008/ |
| work_keys_str_mv | AT yuntaozhang containerescapedetectionmethodbasedonheterogeneousobservationchain AT binxingfang containerescapedetectionmethodbasedonheterogeneousobservationchain AT chunlaidu containerescapedetectionmethodbasedonheterogeneousobservationchain AT zhongruwang containerescapedetectionmethodbasedonheterogeneousobservationchain AT zhijiancui containerescapedetectionmethodbasedonheterogeneousobservationchain AT shouyousong containerescapedetectionmethodbasedonheterogeneousobservationchain |