Container escape detection method based on heterogeneous observation chain

Yuntao ZHANG; Binxing FANG; Chunlai DU; Zhongru WANG; Zhijian CUI; Shouyou SONG

Tongxin xuebao (Jan 2023)

Container escape detection method based on heterogeneous observation chain

Yuntao ZHANG,
Binxing FANG,
Chunlai DU,
Zhongru WANG,
Zhijian CUI,
Shouyou SONG

Affiliations

Yuntao ZHANG
Binxing FANG
Chunlai DU
Zhongru WANG
Zhijian CUI
Shouyou SONG

Journal volume & issue: Vol. 44
pp. 49 – 63

Abstract

Read online

Aiming at the problem of high false negative rate in container escape detection technologies, a real-time detecting method of heterogeneous observation was proposed.Firstly, the container escape behavior utilizing kernel vulnerabilities was modeled, and the critical attributes of the process were selected as observation points.A heterogeneous observation method was proposed with “privilege escalation” as the detection criterion.Secondly, the kernel module was adopted to capture the attribute information of the process in real time, and the process provenance graph was constructed.The scale of the provenance graph was reduced through container boundary identification technology.Finally, a heterogeneous observation chain was built based on the process attribute information, and the prototype system HOC-Detector was implemented.The experiments show that HOC-Detector can successfully detect all container escapes using kernel vulnerabilities in the test dataset, and the increased runtime overhead is less than 0.8%.

container escape;kernel vulnerability;open provenance model;heterogeneous observation chain

Published in Tongxin xuebao

ISSN: 1000-436X (Print)
Publisher: Editorial Department of Journal on Communications
Country of publisher: China
LCC subjects: Technology: Electrical engineering. Electronics. Nuclear engineering: Telecommunication
Website: http://www.infocomm-journal.com/txxb/EN/1000-436X/home.shtml

About the journal

Abstract

Keywords