WEKO3
アイテム
Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster
https://ipsj.ixsq.nii.ac.jp/records/212851
https://ipsj.ixsq.nii.ac.jp/records/212851af913088-7d49-4e74-9ba1-f628e4a50eb1
| 名前 / ファイル | ライセンス | アクション |
|---|---|---|
IPSJ-JNL6209002.pdf (2.5 MB)
|
Copyright (c) 2021 by the Information Processing Society of Japan
|
|
| オープンアクセス | ||
| Item type | Journal(1) | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 公開日 | 2021-09-15 | |||||||||||
| タイトル | ||||||||||||
| タイトル | Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster | |||||||||||
| タイトル | ||||||||||||
| 言語 | en | |||||||||||
| タイトル | Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster | |||||||||||
| 言語 | ||||||||||||
| 言語 | eng | |||||||||||
| キーワード | ||||||||||||
| 主題Scheme | Other | |||||||||||
| 主題 | [特集:Society 5.0を実現するコンピュータセキュリティ技術] container integrity, Kubernetes, allowlist | |||||||||||
| 資源タイプ | ||||||||||||
| 資源タイプ識別子 | http://purl.org/coar/resource_type/c_6501 | |||||||||||
| 資源タイプ | journal article | |||||||||||
| 著者所属 | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者所属 | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者所属 | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者所属(英) | ||||||||||||
| en | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者所属(英) | ||||||||||||
| en | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者所属(英) | ||||||||||||
| en | ||||||||||||
| IBM Research - Tokyo | ||||||||||||
| 著者名 |
Hirokuni, Kitahara
× Hirokuni, Kitahara
× Kugamoorthy, Gajananan
× Yuji, Watanabe
|
|||||||||||
| 著者名(英) |
Hirokuni, Kitahara
× Hirokuni, Kitahara
× Kugamoorthy, Gajananan
× Yuji, Watanabe
|
|||||||||||
| 論文抄録 | ||||||||||||
| 内容記述タイプ | Other | |||||||||||
| 内容記述 | Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.29(2021) (online) DOI http://dx.doi.org/10.2197/ipsjjip.29.505 ------------------------------ |
|||||||||||
| 論文抄録(英) | ||||||||||||
| 内容記述タイプ | Other | |||||||||||
| 内容記述 | Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation. ------------------------------ This is a preprint of an article intended for publication Journal of Information Processing(JIP). This preprint should not be cited. This article should be cited as: Journal of Information Processing Vol.29(2021) (online) DOI http://dx.doi.org/10.2197/ipsjjip.29.505 ------------------------------ |
|||||||||||
| 書誌レコードID | ||||||||||||
| 収録物識別子タイプ | NCID | |||||||||||
| 収録物識別子 | AN00116647 | |||||||||||
| 書誌情報 |
情報処理学会論文誌 巻 62, 号 9, 発行日 2021-09-15 |
|||||||||||
| ISSN | ||||||||||||
| 収録物識別子タイプ | ISSN | |||||||||||
| 収録物識別子 | 1882-7764 | |||||||||||
