{"metadata":{"_oai":{"id":"oai:ipsj.ixsq.nii.ac.jp:00212851","sets":["581:10433:10442"]},"path":["10442"],"owner":"44499","recid":"212851","title":["Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster "],"pubdate":{"attribute_name":"公開日","attribute_value":"2021-09-15"},"_buckets":{"deposit":"22f979e0-14dc-49f1-93eb-311b1cb57d89"},"_deposit":{"id":"212851","pid":{"type":"depid","value":"212851","revision_id":0},"owners":[44499],"status":"published","created_by":44499},"item_title":"Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster ","author_link":["543645","543647","543650","543646","543649","543648"],"item_titles":{"attribute_name":"タイトル","attribute_value_mlt":[{"subitem_title":"Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster "},{"subitem_title":"Real-time Container Integrity Monitoring for Large-Scale Kubernetes Cluster ","subitem_title_language":"en"}]},"item_keyword":{"attribute_name":"キーワード","attribute_value_mlt":[{"subitem_subject":"[特集：Society 5.0を実現するコンピュータセキュリティ技術] container integrity, Kubernetes, allowlist","subitem_subject_scheme":"Other"}]},"item_type_id":"2","publish_date":"2021-09-15","item_2_text_3":{"attribute_name":"著者所属","attribute_value_mlt":[{"subitem_text_value":"IBM Research - Tokyo"},{"subitem_text_value":"IBM Research - Tokyo"},{"subitem_text_value":"IBM Research - Tokyo"}]},"item_2_text_4":{"attribute_name":"著者所属(英)","attribute_value_mlt":[{"subitem_text_value":"IBM Research - Tokyo","subitem_text_language":"en"},{"subitem_text_value":"IBM Research - Tokyo","subitem_text_language":"en"},{"subitem_text_value":"IBM Research - Tokyo","subitem_text_language":"en"}]},"item_language":{"attribute_name":"言語","attribute_value_mlt":[{"subitem_language":"eng"}]},"publish_status":"0","weko_shared_id":-1,"item_file_price":{"attribute_name":"Billing file","attribute_type":"file","attribute_value_mlt":[{"url":{"url":"https://ipsj.ixsq.nii.ac.jp/record/212851/files/IPSJ-JNL6209002.pdf","label":"IPSJ-JNL6209002.pdf"},"date":[{"dateType":"Available","dateValue":"2023-09-15"}],"format":"application/pdf","billing":["billing_file"],"filename":"IPSJ-JNL6209002.pdf","filesize":[{"value":"2.5 MB"}],"mimetype":"application/pdf","priceinfo":[{"tax":["include_tax"],"price":"0","billingrole":"5"},{"tax":["include_tax"],"price":"0","billingrole":"6"},{"tax":["include_tax"],"price":"0","billingrole":"8"},{"tax":["include_tax"],"price":"0","billingrole":"44"}],"accessrole":"open_date","version_id":"e5bc34b8-98c7-448c-903a-6ee3130c6441","displaytype":"detail","licensetype":"license_note","license_note":"Copyright (c) 2021 by the Information Processing Society of Japan"}]},"item_2_creator_5":{"attribute_name":"著者名","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Hirokuni, Kitahara"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kugamoorthy, Gajananan"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yuji, Watanabe"}],"nameIdentifiers":[{}]}]},"item_2_creator_6":{"attribute_name":"著者名(英)","attribute_type":"creator","attribute_value_mlt":[{"creatorNames":[{"creatorName":"Hirokuni, Kitahara","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Kugamoorthy, Gajananan","creatorNameLang":"en"}],"nameIdentifiers":[{}]},{"creatorNames":[{"creatorName":"Yuji, Watanabe","creatorNameLang":"en"}],"nameIdentifiers":[{}]}]},"item_2_source_id_9":{"attribute_name":"書誌レコードID","attribute_value_mlt":[{"subitem_source_identifier":"AN00116647","subitem_source_identifier_type":"NCID"}]},"item_resource_type":{"attribute_name":"資源タイプ","attribute_value_mlt":[{"resourceuri":"http://purl.org/coar/resource_type/c_6501","resourcetype":"journal article"}]},"item_2_source_id_11":{"attribute_name":"ISSN","attribute_value_mlt":[{"subitem_source_identifier":"1882-7764","subitem_source_identifier_type":"ISSN"}]},"item_2_description_7":{"attribute_name":"論文抄録","attribute_value_mlt":[{"subitem_description":"Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation.\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.29(2021) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.29.505\n------------------------------","subitem_description_type":"Other"}]},"item_2_description_8":{"attribute_name":"論文抄録(英)","attribute_value_mlt":[{"subitem_description":"Container integrity monitoring is defined as a key requirement for regulatory compliance such as PCI-DSS, in which any unexpected changes such as file updates or program runs must be logged for later audit. System call monitoring provides comprehensive monitoring of such change events on container since it may suffer from large amount of false alarms unless well-defined allowlist rules are coordinated before deploying a container. Defining such a comprehensive allowlist is not feasible especially when managing various kinds of application workloads in large-scale enterprise cluster. We propose a new approach for identifying real anomalies in system call events effectively without relying on any predefined allowlist configuration in this paper. Our novel filtering algorithm based on the knowledge acquired autonomously from Kubernetes cluster control plane reduces 99.999% of noise effectively and distills only abnormal events in real time. Furthermore, we define concrete criteria for highly-scalable container integrity monitoring and verify the implementation of proposing filtering method that has actual high scalability while maintaining its detection capability. Our experiment with real applications on around 3,800 containers demonstrates its effectiveness even on large-scale clusters, and we clarified how detected events are triggered by user operation.\n------------------------------\nThis is a preprint of an article intended for publication Journal of\nInformation Processing(JIP). This preprint should not be cited. This\narticle should be cited as: Journal of Information Processing Vol.29(2021) (online)\nDOI　http://dx.doi.org/10.2197/ipsjjip.29.505\n------------------------------","subitem_description_type":"Other"}]},"item_2_biblio_info_10":{"attribute_name":"書誌情報","attribute_value_mlt":[{"bibliographic_titles":[{"bibliographic_title":"情報処理学会論文誌"}],"bibliographicIssueDates":{"bibliographicIssueDate":"2021-09-15","bibliographicIssueDateType":"Issued"},"bibliographicIssueNumber":"9","bibliographicVolumeNumber":"62"}]},"relation_version_is_last":true,"weko_creator_id":"44499"},"id":212851,"updated":"2025-01-19T17:21:05.918667+00:00","links":{},"created":"2025-01-19T01:13:46.735715+00:00"}