Adversarial-Aware Kubernetes Admission Controllers for Real-Time Threat Suppression
Keywords:
Kubernetes, Threat, Adversarial, ControllersAbstract
More applications are containerized and based on microservices which has made Kubernetes the leading choice for managing and orchestrating them. Still, the fast-changing ways of digital systems cause many important gaps in security, mainly when it comes to immediate protection from adversaries. This paper explains how to integrate adversarial-aware logic in Kubernetes admission controllers, so that threats can be blocked before any workload reaches the cluster. We discuss how a controller based on webhooks can find, block and change its behavior using alerts, probability scores and rule sets at run time. Based on what we observed in secure microservice platforms, principles of moving target defense and trusted execution environments, we assess the usefulness of enforcing security early on. Some main achievements include building threat-score models, evaluating them with mock attacks and blending SGX checks with Kubernetes procedures. This research also demonstrates the outcomes of simulations on how well the system detects information, how fast it responds and how flexible it is with changing policies. We unite quick threat identification with real-time admission of containers, supporting their protection and strictly enforcing zero-trust rules. It is clear from the results that containers need strong, fast security integration as adversaries are likely to keep adapting with time.
Downloads
References
Ahmadvand, M., Pretschner, A., Ball, K., & Eyring, D. (2018). Integrity protection against insiders in microservice-based infrastructures: From threats to a security framework. In Software Technologies: Applications and Foundations: STAF 2018 Collocated Workshops, Toulouse, France, June 25-29, 2018, Revised Selected Papers (pp. 573-588). Springer International Publishing. https://doi.org/10.1007/978-3-030-04771-9_43
Carlini, N., Athalye, A., Papernot, N., Brendel, W., Rauber, J., Tsipras, D., Goodfellow, I. J., Madry, A., & Kurakin, A. (2019). On evaluating adversarial robustness. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1902.06705
Cho, J., Sharma, D. P., Alavizadeh, H., Yoon, S., Ben-Asher, N., Moore, T. J., Kim, D. S., Lim, H., & Nelson, F. F. (2019). Toward Proactive, Adaptive Defense: A survey on moving target defense. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1909.08092
Contiu, S., Vaucher, S., Pires, R., Pasin, M., Felber, P., & Réveillere, L. (2019, October). Anonymous and confidential file sharing over untrusted clouds. In 2019 38th Symposium on Reliable Distributed Systems (SRDS) (pp. 21-2110). IEEE. 10.1109/SRDS47363.2019.00013
Hasan, M., Mohan, S., Pellizzoni, R., & Bobba, R. B. (2017). CONTEGO: an adaptive framework for integrating security tasks in Real-Time systems. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1705.00138
Pollok, F., Boag, S., & Nicolae, M. I. (2018). Open Fabric for Deep Learning Models. https://openreview.net/pdf?id=SkgCTFpV2X
Salman, T., Zolanvari, M., Erbad, A., Jain, R., & Samaka, M. (2018). Security services using blockchains: A state of the art survey. IEEE communications surveys & tutorials, 21(1), 858-880. https://doi.org/10.48550/arXiv.1810.08735
Sultan, S., Ahmad, I., & Dimitriou, T. (2019). Container security: Issues, challenges, and the road ahead. IEEE access, 7, 52976-52996. 10.1109/ACCESS.2019.2911732
Suneja, S., Kanso, A., & Isci, C. (2019, December). Can container fusion be securely achieved?. In Proceedings of the 5th International Workshop on Container Technologies and Container Clouds (pp. 31-36). https://doi.org/10.1145/3366615.3368356
Varadharajan, V., Karmakar, K., Tupakula, U., & Hitchens, M. (2018). A Policy based Security Architecture for Software Defined Networks. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1806.02053
Vaucher, S., Pires, R., Felber, P., Pasin, M., Schiavoni, V., & Fetzer, C. (2018, July). SGX-aware container orchestration for heterogeneous clusters. In 2018 IEEE 38th International Conference on Distributed Computing Systems (ICDCS) (pp. 730-741). IEEE. https://doi.org/10.48550/arXiv.1805.05847
Vayghan, L. A., Saied, M. A., Toeroe, M., & Khendek, F. (2019). Kubernetes as an availability manager for microservice applications. arXiv (Cornell University). https://doi.org/10.48550/arxiv.1901.04946
Wang, C., Kanso, A., Costache, S. V., Youssef, A. S., & Steinder, M. (2018, November 29). US10915369B2 - Reward-based admission controller for resource requests in the cloud - Google Patents. https://patents.google.com/patent/US10915369B2/en
Downloads
Published
How to Cite
Issue
Section
License
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
All papers should be submitted electronically. All submitted manuscripts must be original work that is not under submission at another journal or under consideration for publication in another form, such as a monograph or chapter of a book. Authors of submitted papers are obligated not to submit their paper for publication elsewhere until an editorial decision is rendered on their submission. Further, authors of accepted papers are prohibited from publishing the results in other publications that appear before the paper is published in the Journal unless they receive approval for doing so from the Editor-In-Chief.
IJISAE open access articles are licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. This license lets the audience to give appropriate credit, provide a link to the license, and indicate if changes were made and if they remix, transform, or build upon the material, they must distribute contributions under the same license as the original.
