Spotlight on Lablet Research #9 - Coordinated Machine Learning-Based Vulnerability and Security Patching for Resilient Virtual Computing Infrastructure

Spotlight on Lablet Research #9 -

Coordinated Machine Learning-Based Vulnerability and Security Patching for Resilient Virtual Computing Infrastructure

Lablet: North Carolina State University

This research aims to assist administrators of virtualized computing infrastructures in making services more resilient to security attacks. This is done through applying machine learning to reduce both security and functionality risks in software patching by continually monitoring patched and unpatched software to discover vulnerabilities and triggering proper security updates.

The existing approach to making services more resilient to security attacks is static security analysis and scheduled patching. NCSU researchers, led by Principal Investigator (PI) Xiaohui (Helen) Gu, determined in their experiments that this approach fails to detect 90% of vulnerabilities, displays high false alarms, and shows memory inflation caused by unnecessary security patching. This research project focuses on runtime vulnerability detection using online machine learning methods and just-in-time security patching. Just-in-time security patching includes applying patches intentionally after attacks are detected, enforcing update validation, making intelligent decisions on update vice rebuild, and adhering to system operational constraints.

Containers have become increasingly popular for deploying applications in cloud computing infrastructures. However, researchers' previous studies showed that containers are prone to various security attacks. The research team is continuing research on real-time container vulnerability discovery and refining approaches for aggregated learning and application classification. They refined the dynamic vulnerability exploit detection system (changing the algorithm from SOM to autoencoder) and collected results over a set of real-world exploits. Initial results using a limited set of exploits show that this approach to exploit detection has a 100% detection rate and lower than 1% false alarms. Researchers implemented their aggregated behavior learning framework that leverages learning data from different containers running the same application together. After conducting dynamic container vulnerability exploit detection experiments over 31 vulnerability exploits (e.g., return a shell, execute arbitrary code, privilege escalation) detected in 23 commonly used server applications (e.g., Apache, CouchDB, Bash, ElasticSearch, JBoss, OpenSSH), they compared the detection accuracy of aggregated behavior learning versus individual behavior learning. Their experiments show that aggregated learning can improve the accuracy and detection lead time in 70% of tested exploits. The researchers further conducted an initial study on a container classification scheme that can recognize containers running the same application using runtime monitoring data. Those initial experiments show that they can achieve over 80% classification accuracy. Researchers saw improved detection results while training using a larger number of containers. They further refined the application classification algorithm using random forest learning methods and can now achieve over 96% accuracy. They also completed attack type classification implementation by extracting top frequently used system calls during the attack period and conducted extensive experiments. The resulting attack signature can achieve 90% classification accuracy over all tested 31 vulnerability exploits. They also started to implement the on-demand targeted patching (OPatch) system, and initial experiments show that OPatch can reduce memory overhead incurred by patching by up to 84% and disk overhead by up to 40% compared to existing whole software upgrade approach.

Additional details on this project can be found here.