First Call (September 2023)
Identifying Anomaly Behavior in Container Orchestrator Auditing Logs
Description:
Kubernetes is the facto container orchestrator in public and private clouds. It presents many features that facilitate the management not only of containers but also several elements that help implement more complex applications, like secrets, configmaps, services, and ingresses. All the configurations are handled through an API that manages the access using an RBAC system. These requests to the API are logged by the auditing module, which can be configured with different granularity. If a User or Service Account is compromised, some malicious actor can execute commands to obtain confidential information, like passwords or application topologies. Given the substantial volume of logged events, threshold-based or string-pattern matching algorithms can not be enough to identify malicious behavior in the cluster. So, this project aims to explore the state-of-the-art and compare existing anomaly detection algorithms and their applicability to auditing logs.
Level: BSc/MSc
Supervisor: Luis Augusto Dias Knob (l.diasknob@fbk.eu)
Prerequisites:
- Experience with Python 3
- Experience with Kubernetes and containers
- Experience with deep learning frameworks (e.g., PyTorch, Tensorflow, Keras) is preferable
Topics: Auditing logs, Anomaly detection, Kubernetes, Public cloud
System Calls Misuse Detection in Containerized Systems
Description:
Containers have arisen as a lightweight alternative to virtual machines (VMs). While they have become the industry standard for deploying microservices, container security remains the foremost concern and a significant obstacle to adoption for numerous companies. Containers, as bundles of applications and services packaged together, are susceptible to software bugs or to the inclusion of malware, whether intentionally or inadvertently. These anomalous programs possess the same capabilities as any other component within the container image, making them potential threats to other containers or hosts within the ecosystem. The goal of this project is to investigate Machine Learning (ML) methods to detect container anomalies through the analysis of their systems calls, i.e., of their interactions with the kernel of the hosting machine.
Level: MSc
Supervisor: Roberto Doriguzzi Corin (rdoriguzzi@fbk.eu)
Time frame: from February 2023
Prerequisites:
- Basic knowledge of container technologies (e.g., Docker, Linux containers, etc.)
- Basic knowledge of the Linux OS
- Basic knowledge of the Python programming language and Deep Learning libraries
Objectives:
- Familiarization and study of the state-of-the-art related to container security
- Evaluation of available techniques for anomaly detection in containerized systems
- Design and implementation of an online ML-based solution for the detection of container anomalies through the analysis of the containers system calls.
Topics: Containerized systems, Machine Learning, Anomaly Detection
References:
- El Khairi, Asbat, et al. "Contextualizing system calls in containers for anomaly-based intrusion detection." Proceedings of the 2022 on Cloud Computing Security Workshop. 2022.
- Bèlair, Maxime, Sylvie Laniepce, and Jean-Marc Menaud. "Leveraging kernel security mechanisms to improve container security: a survey." Proceedings of the 14th international conference on availability, reliability and security. 2019.
- Sultan, Sari, Imtiaz Ahmad, and Tassos Dimitriou. "Container security: Issues, challenges, and the road ahead." IEEE access 7 (2019)
Robustness of Intrusion Detection Systems against Adversarial Machine Learning attacks
Description:
A Network Intrusion Detection System (NIDS) serves as the initial line of defence against network attacks that threaten the integrity of data, systems, and networks. Over recent years, Deep Neural Networks (DNNs) have been increasingly used in NIDSs to detect malicious traffic due to their remarkable accuracy in identifying malicious network activity. Nonetheless, DNNs exhibit susceptibility to Adversarial Machine Learning (AML) attacks, where subtle alterations to input data can lead to misclassification by the neural network. This vulnerability has particularly severe consequences, as adversarial attacks pose a substantial threat to overall network security. While the majority of current research in the field of AML has been directed towards computer vision tasks like image classification and object recognition, there has been a notable increase in interest and activity within the cybersecurity domain. Nevertheless, several challenges persist in this domain, encompassing both performance-related issues and the practicality of applying these methods to real-world scenarios. The primary objective of this project is to explore innovative and practical methodologies aimed at enhancing the resilience of NIDSs against AML attacks.
Level: MSc
Supervisor: Roberto Doriguzzi Corin (rdoriguzzi@fbk.eu)
Time frame: from February 2023
Prerequisites:
- Basic knowledge of network security
- Basic knowledge of computer networking
- Basic knowledge of the Python programming language and Deep Learning libraries
Objectives:
- Familiarization and study of the state-of-the-art related to AML attacks and defenses
- Evaluation of available AML techniques against state-of-the-art DL-based NIDS to spot limitations in the existing solutions
- Design and implementation of a novel solution
Topics: Network security, Deep learning, Adversarial Machine Learning
References:
- He, Ke, Dan Dongseong Kim, and Muhammad Rizwan Asghar. "Adversarial machine learning for network intrusion detection systems: a comprehensive survey." IEEE Communications Surveys & Tutorials (2023).
- Alhajjar, Elie, Paul Maxwell, and Nathaniel Bastian. "Adversarial machine learning in network intrusion detection systems." Expert Systems with Applications 186 (2021): 115782.
- Jmila, Houda, and Mohamed Ibn Khedher. "Adversarial machine learning for network intrusion detection: A comparative study." Computer Networks 214 (2022): 109073.
Evaluating the Impact of eBPF Observability Solutions on System Resources
Description:
eBPF (Extended Berkeley Packet Filter) is a recent development in the Linux kernel that allows users to programmatically monitor, observe, and manage kernel activity in a safe and extensible way [1]. In the past years, research has flourished on the topic, with solutions being developed ranging from system call monitoring to container observability, network management and more [2, 3]. However, while moving monitoring solutions to the kernelspace has inherent security and speed advantages, often the overhead of the monitoring activity itself is disregarded. The project will begin by learning about eBPF, its capabilities, and how to understand and write eBPF code. The final objectives of this project are twofold. First, candidates will evaluate the state-of-the-art literature, assessing the strengths and weaknesses of several observability solutions and quantitatively analyzing the overhead on the system resources (e.g., CPU, memory). Second, candidates will focus on decreasing resource usage in these solutions; examples may include upgrades of the kernel version, better selection of observed features, and more.
Level: MSc
Supervisors: Matteo Franzil (mfranzil@fbk.eu), Luis Augusto Dias Knob (l.diasknob@fbk.eu)
Prerequisites:
- Basic knowledge of Linux system calls
- Knowledge of computer networking and containers
- Experience with Python 3 and Go; adaptability to other languages is a plus
Topics: Observability, Computer networking, eBPF
References:
- ebpf.io, ‘What is eBPF? An Introduction and Deep Dive into the eBPF Technology’, Mar. 05, 2022. Available: https://ebpf.io/what-is-ebpf/.
- J. Levin and T. A. Benson, ‘ViperProbe: Rethinking Microservice Observability with eBPF’, in 2020 IEEE 9th International Conference on Cloud Networking (CloudNet), Piscataway, NJ, USA: IEEE, Nov. 2020, pp. 1–8. doi: 10.1109/CloudNet51028.2020.9335808. Available: https://ieeexplore.ieee.org/document/9335808/.
- C. Cassagnes, L. Trestioreanu, C. Joly and R. State, "The rise of eBPF for non-intrusive performance monitoring," NOMS 2020 - 2020 IEEE/IFIP Network Operations and Management Symposium, Budapest, Hungary, 2020, pp. 1-7, doi: 10.1109/NOMS47738.2020.9110434.