Visible to the public Biblio

Filters: Keyword is containers  [Clear All Filters]
2020-10-29
Kahla, Mostafa, Azab, Mohamed, Mansour, Ahmed.  2018.  Secure, Resilient, and Self-Configuring Fog Architecture for Untrustworthy IoT Environments. 2018 17th IEEE International Conference On Trust, Security And Privacy In Computing And Communications/ 12th IEEE International Conference On Big Data Science And Engineering (TrustCom/BigDataSE). :49—54.

The extensive increase in the number of IoT devices and the massive data generated and sent to the cloud hinder the cloud abilities to handle it. Further, some IoT devices are latency-sensitive. Such sensitivity makes it harder for far clouds to handle the IoT needs in a timely manner. A new technology named "Fog computing" has emerged as a solution to such problems. Fog computing relies on close by computational devices to handle the conventional cloud load. However, Fog computing introduced additional problems related to the trustworthiness and safety of such devices. Unfortunately, the suggested architectures did not consider such problem. In this paper we present a novel self-configuring fog architecture to support IoT networks with security and trust in mind. We realize the concept of Moving-target defense by mobilizing the applications inside the fog using live migrations. Performance evaluations using a benchmark for mobilized applications showed that the added overhead of live migrations is very small making it deployable in real scenarios. Finally, we presented a mathematical model to estimate the survival probabilities of both static and mobile applications within the fog. Moreover, this work can be extended to other systems such as mobile ad-hoc networks (MANETS) or in vehicular cloud computing (VCC).

2020-10-26
Criswell, John, Zhou, Jie, Gravani, Spyridoula, Hu, Xiaoyu.  2019.  PrivAnalyzer: Measuring the Efficacy of Linux Privilege Use. 2019 49th Annual IEEE/IFIP International Conference on Dependable Systems and Networks (DSN). :593–604.
Operating systems such as Linux break the power of the root user into separate privileges (which Linux calls capabilities) and give processes the ability to enable privileges only when needed and to discard them permanently when the program no longer needs them. However, there is no method of measuring how well the use of such facilities reduces the risk of privilege escalation attacks if the program has a vulnerability. This paper presents PrivAnalyzer, an automated tool that measures how effectively programs use Linux privileges. PrivAnalyzer consists of three components: 1) AutoPriv, an existing LLVM-based C/C++ compiler which uses static analysis to transform a program that uses Linux privileges into a program that safely removes them when no longer needed, 2) ChronoPriv, a new LLVM C/C++ compiler pass that performs dynamic analysis to determine for how long a program retains various privileges, and 3) ROSA, a new bounded model checker that can model the damage a program can do at each program point if an attacker can exploit the program and abuse its privileges. We use PrivAnalyzer to determine how long five privileged open source programs retain the ability to cause serious damage to a system and find that merely transforming a program to drop privileges does not significantly improve security. However, we find that simple refactoring can considerably increase the efficacy of Linux privileges. In two programs that we refactored, we reduced the percentage of execution in which a device file can be read and written from 97% and 88% to 4% and 1%, respectively.
2020-09-21
Corneci, Vlad-Mihai, Carabas, Costin, Deaconescu, Razvan, Tapus, Nicolae.  2019.  Adding Custom Sandbox Profiles to iOS Apps. 2019 18th RoEduNet Conference: Networking in Education and Research (RoEduNet). :1–5.
The massive adoption of mobile devices by both individuals and companies is raising many security concerns. The fact that such devices are handling sensitive data makes them a target for attackers. Many attack prevention mechanisms are deployed with a last line of defense that focuses on the containment principle. Currently, iOS treats each 3rd party application alike which may lead to security flaws. We propose a framework in which each application has a custom sandboxed environment. We investigated the current confinement architecture used by Apple and built a solution on top of it.
Osman, Amr, Bruckner, Pascal, Salah, Hani, Fitzek, Frank H. P., Strufe, Thorsten, Fischer, Mathias.  2019.  Sandnet: Towards High Quality of Deception in Container-Based Microservice Architectures. ICC 2019 - 2019 IEEE International Conference on Communications (ICC). :1–7.
Responding to network security incidents requires interference with ongoing attacks to restore the security of services running on production systems. This approach prevents damage, but drastically impedes the collection of threat intelligence and the analysis of vulnerabilities, exploits, and attack strategies. We propose the live confinement of suspicious microservices into a sandbox network that allows to monitor and analyze ongoing attacks under quarantine and that retains an image of the vulnerable and open production network. A successful sandboxing requires that it happens completely transparent to and cannot be detected by an attacker. Therefore, we introduce a novel metric to measure the Quality of Deception (QoD) and use it to evaluate three proposed network deception mechanisms. Our evaluation results indicate that in our evaluation scenario in best case, an optimal QoD is achieved. In worst case, only a small downtime of approx. 3s per microservice (MS) occurs and thus a momentary drop in QoD to 70.26% before it converges back to optimum as the quarantined services are restored.
2020-09-18
Yudin, Oleksandr, Ziubina, Ruslana, Buchyk, Serhii, Frolov, Oleg, Suprun, Olha, Barannik, Natalia.  2019.  Efficiency Assessment of the Steganographic Coding Method with Indirect Integration of Critical Information. 2019 IEEE International Conference on Advanced Trends in Information Theory (ATIT). :36—40.
The presented method of encoding and steganographic embedding of a series of bits for the hidden message was first developed by modifying the digital platform (bases) of the elements of the image container. Unlike other methods, steganographic coding and embedding is accomplished by changing the elements of the image fragment, followed by the formation of code structures for the established structure of the digital representation of the structural elements of the image media image. The method of estimating quantitative indicators of embedded critical data is presented. The number of bits of the container for the developed method of steganographic coding and embedding of critical information is estimated. The efficiency of the presented method is evaluated and the comparative analysis of the value of the embedded digital data in relation to the method of weight coefficients of the discrete cosine transformation matrix, as well as the comparative analysis of the developed method of steganographic coding, compared with the Koch and Zhao methods to determine the embedded data resistance against attacks of various types. It is determined that for different values of the quantization coefficient, the most critical are the built-in containers of critical information, which are built by changing the part of the digital video data platform depending on the size of the digital platform and the number of bits of the built-in container.
2020-09-08
Mavridis, Ilias, Karatza, Helen.  2019.  Lightweight Virtualization Approaches for Software-Defined Systems and Cloud Computing: An Evaluation of Unikernels and Containers. 2019 Sixth International Conference on Software Defined Systems (SDS). :171–178.
Software defined systems use virtualization technologies to provide an abstraction of the hardware infrastructure at different layers. Ultimately, the adoption of software defined systems in all cloud infrastructure components will lead to Software Defined Cloud Computing. Nevertheless, virtualization has already been used for years and is a key element of cloud computing. Traditionally, virtual machines are deployed in cloud infrastructure and used to execute applications on common operating systems. New lightweight virtualization technologies, such as containers and unikernels, appeared later to improve resource efficiency and facilitate the decomposition of big monolithic applications into multiple, smaller services. In this work, we present and empirically evaluate four popular unikernel technologies, Docker containers and Docker LinuxKit. We deployed containers both on bare metal and on virtual machines. To fairly evaluate their performance, we created similar applications for unikernels and containers. Additionally, we deployed full-fledged database applications ported on both virtualization technologies. Although in bibliography there are a few studies which compare unikernels and containers, in our study for the first time, we provide a comprehensive performance evaluation of clean-slate and legacy unikernels, Docker containers and Docker LinuxKit.
2020-05-11
Takahashi, Daisuke, Xiao, Yang, Li, Tieshan.  2018.  Database Structures for Accountable Flow-Net Logging. 2018 10th International Conference on Communication Software and Networks (ICCSN). :254–258.
Computer and network accountability is to make every action in computers and networks accountable. In order to achieve accountability, we need to answer the following questions: what did it happen? When did it happen? Who did it? In order to achieve accountability, the first step is to record what exactly happened. Therefore, an accountable logging is needed and implemented in computers and networks. Our previous work proposed a novel accountable logging methodology called Flow-Net. However, how to storage the huge amount of Flow-net logs into databases is not clear. In this paper, we try to answer this question.
2020-05-04
Chen, Jianfeng, Liu, Jie, Sun, Zhi, Li, Chunlin, Hu, Chunhui.  2019.  An Intelligent Cyberspace Defense Architecture Based on Elastic Resource Infrastructure and Dynamic Container Orchestration. 2019 International Conference on Networking and Network Applications (NaNA). :235–240.

The borderless, dynamic, high dimensional and virtual natures of cyberspace have brought unprecedented hard situation for defenders. To fight uncertain challenges in versatile cyberspace, a security framework based on the cloud computing platform that facilitates containerization technology to create a security capability pool to generate and distribute security payload according to system needs. Composed by four subsystems of the security decision center, the image and container library, the decision rule base and the security event database, this framework distills structured knowledge from aggregated security events and then deliver security load to the managed network or terminal nodes directed by the decision center. By introducing such unified and standardized top-level security framework that is decomposable, combinable and configurable in a service-oriented manner, it could offer flexibility and effectiveness in reconstructing security resource allocation and usage to reach higher efficiency.

2020-04-10
Watanabe, Hidenobu, Kondo, Tohru, Ohigashi, Toshihiro.  2019.  Implementation of Platform Controller and Process Modules of the Edge Computing for IoT Platform. 2019 IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom Workshops). :407—410.
Edge computing requires a flexible choice of data-processing and rapidly computation performed at the edge of networks. We proposed an edge computing platform with container-based virtualization technology. In the platform, data-processing instances are modularized and deployed to edge nodes suitable for user requirements with keeping the data-processing flows within wide area network. This paper reports the platform controller and the process modules implemented to realize the secure and flexible edge computing platform.
2020-03-30
Dreher, Patrick, Ramasami, Madhuvanti.  2019.  Prototype Container-Based Platform for Extreme Quantum Computing Algorithm Development. 2019 IEEE High Performance Extreme Computing Conference (HPEC). :1–7.
Recent advances in the development of the first generation of quantum computing devices have provided researchers with computational platforms to explore new ideas and reformulate conventional computational codes suitable for a quantum computer. Developers can now implement these reformulations on both quantum simulators and hardware platforms through a cloud computing software environment. For example, the IBM Q Experience provides the direct access to their quantum simulators and quantum computing hardware platforms. However these current access options may not be an optimal environment for developers needing to download and modify the source codes and libraries. This paper focuses on the construction of a Docker container environment with Qiskit source codes and libraries running on a local cloud computing system that can directly access the IBM Q Experience. This prototype container based system allows single user and small project groups to do rapid prototype development, testing and implementation of extreme capability algorithms with more agility and flexibility than can be provided through the IBM Q Experience website. This prototype environment also provides an excellent teaching environment for labs and project assignments within graduate courses in cloud computing and quantum computing. The paper also discusses computer security challenges for expanding this prototype container system to larger groups of quantum computing researchers.
2020-03-27
Jadidi, Mahya Soleimani, Zaborski, Mariusz, Kidney, Brian, Anderson, Jonathan.  2019.  CapExec: Towards Transparently-Sandboxed Services. 2019 15th International Conference on Network and Service Management (CNSM). :1–5.
Network services are among the riskiest programs executed by production systems. Such services execute large quantities of complex code and process data from arbitrary — and untrusted — network sources, often with high levels of system privilege. It is desirable to confine system services to a least-privileged environment so that the potential damage from a malicious attacker can be limited, but existing mechanisms for sandboxing services require invasive and system-specific code changes and are insufficient to confine broad classes of network services. Rather than sandboxing one service at a time, we propose that the best place to add sandboxing to network services is in the service manager that starts those services. As a first step towards this vision, we propose CapExec, a process supervisor that can execute a single service within a sandbox based on a service declaration file in which, required resources whose limited access to are supported by Caper services, are specified. Using the Capsicum compartmentalization framework and its Casper service framework, CapExec provides robust application sandboxing without requiring any modifications to the application itself. We believe that this is the first step towards ubiquitous sandboxing of network services without the costs of virtualization.
2020-03-16
Udod, Kyryll, Kushnarenko, Volodymyr, Wesner, Stefan, Svjatnyj, Volodymyr.  2019.  Preservation System for Scientific Experiments in High Performance Computing: Challenges and Proposed Concept. 2019 10th IEEE International Conference on Intelligent Data Acquisition and Advanced Computing Systems: Technology and Applications (IDAACS). 2:809–813.
Continuously growing amount of research experiments using High Performance Computing (HPC) leads to the questions of research data management and in particular how to preserve a scientific experiment including all related data for long term for its future reproduction. This paper covers some challenges and possible solutions related to the preservation of scientific experiments on HPC systems and represents a concept of the preservation system for HPC computations. Storage of the experiment itself with some related data is not only enough for its future reproduction, especially in the long term. For that case preservation of the whole experiment's environment (operating system, used libraries, environment variables, input data, etc.) via containerization technology (e.g. using Docker, Singularity) is proposed. This approach allows to preserve the entire environment, but is not always possible on every HPC system because of security issues. And it also leaves a question, how to deal with commercial software that was used within the experiment. As a possible solution we propose to run a preservation process outside of the computing system on the web-server and to replace all commercial software inside the created experiment's image with open source analogues that should allow future reproduction of the experiment without any legal issues. The prototype of such a system was developed, the paper provides the scheme of the system, its main features and describes the first experimental results and further research steps.
2020-03-02
Yoshikawa, Takashi, Date, Susumu, Watashiba, Yasuhiro, Matsui, Yuki, Nozaki, Kazunori, Murakami, Shinya, Lee, Chonho, Hida, Masami, Shimojo, Shinji.  2019.  Secure Staging System for Highly Confidential Data Built on Reconfigurable Computing Platform. 2019 IEEE International Conference on Computational Science and Engineering (CSE) and IEEE International Conference on Embedded and Ubiquitous Computing (EUC). :308–313.
Cloud use for High Performance Computing (HPC) and High Performance Data Analytics (HPDA) is increasing. The data are transferred to the cloud and usually left there even after the data being processed. There is security concern for such data being left online. We propose secure staging system to prepare not only data but also computing platform for processing the data dynamically just while the data is processed. The data plane of the secure staging system has dynamic reconfigurability with several lower-than-IP-layer partitioning mechanisms. The control plane consists of a scheduler and a resource provisioner working together to reconfigure the partitioning in the data plane dynamically. A field trial system is deployed for treating secure data in dental school to be processed in the computer center with the location distance of 1km. The system shows high score in the Common Vulnerability Scoring System (CVSS) evaluation.
2020-02-17
Tunde-Onadele, Olufogorehan, He, Jingzhu, Dai, Ting, Gu, Xiaohui.  2019.  A Study on Container Vulnerability Exploit Detection. 2019 IEEE International Conference on Cloud Engineering (IC2E). :121–127.
Containers have become increasingly popular for deploying applications in cloud computing infrastructures. However, recent studies have shown that containers are prone to various security attacks. In this paper, we conduct a study on the effectiveness of various vulnerability detection schemes for containers. Specifically, we implement and evaluate a set of static and dynamic vulnerability attack detection schemes using 28 real world vulnerability exploits that widely exist in docker images. Our results show that the static vulnerability scanning scheme only detects 3 out of 28 tested vulnerabilities and dynamic anomaly detection schemes detect 22 vulnerability exploits. Combining static and dynamic schemes can further improve the detection rate to 86% (i.e., 24 out of 28 exploits). We also observe that the dynamic anomaly detection scheme can achieve more than 20 seconds lead time (i.e., a time window before attacks succeed) for a group of commonly seen attacks in containers that try to gain a shell and execute arbitrary code.
2020-02-10
Yang, Weiyong, Liu, Wei, Wei, Xingshen, Lv, Xiaoliang, Qi, Yunlong, Sun, Boyan, Liu, Yin.  2019.  Micro-Kernel OS Architecture and its Ecosystem Construction for Ubiquitous Electric Power IoT. 2019 IEEE International Conference on Energy Internet (ICEI). :179–184.

The operating system is extremely important for both "Made in China 2025" and ubiquitous electric power Internet of Things. By investigating of five key requirements for ubiquitous electric power Internet of Things at the OS level (performance, ecosystem, information security, functional security, developer framework), this paper introduces the intelligent NARI microkernel Operating System and its innovative schemes. It is implemented with microkernel architecture based on the trusted computing. Some technologies such as process based fine-grained real-time scheduling algorithm, sigma0 efficient message channel and service process binding in multicore are applied to improve system performance. For better ecological expansion, POSIX standard API is compatible, Linux container, embedded virtualization and intelligent interconnection technology are supported. Native process sandbox and mimicry defense are considered for security mechanism design. Multi-level exception handling and multidimensional partition isolation are adopted to provide High Reliability. Theorem-assisted proof tools based on Isabelle/HOL is used to verify the design and implementation of NARI microkernel OS. Developer framework including tools, kit and specification is discussed when developing both system software and user software on this IoT OS.

2020-01-21
Caprolu, Maurantonio, Di Pietro, Roberto, Lombardi, Flavio, Raponi, Simone.  2019.  Edge Computing Perspectives: Architectures, Technologies, and Open Security Issues. 2019 IEEE International Conference on Edge Computing (EDGE). :116–123.

Edge and Fog Computing will be increasingly pervasive in the years to come due to the benefits they bring in many specific use-case scenarios over traditional Cloud Computing. Nevertheless, the security concerns Fog and Edge Computing bring in have not been fully considered and addressed so far, especially when considering the underlying technologies (e.g. virtualization) instrumental to reap the benefits of the adoption of the Edge paradigm. In particular, these virtualization technologies (i.e. Containers, Real Time Operating Systems, and Unikernels), are far from being adequately resilient and secure. Aiming at shedding some light on current technology limitations, and providing hints on future research security issues and technology development, in this paper we introduce the main technologies supporting the Edge paradigm, survey existing issues, introduce relevant scenarios, and discusses benefits and caveats of the different existing solutions in the above introduced scenarios. Finally, we provide a discussion on the current security issues in the introduced context, and strive to outline future research directions in both security and technology development in a number of Edge/Fog scenarios.

2020-01-20
Faticanti, Francescomaria, De Pellegrini, Francesco, Siracusa, Domenico, Santoro, Daniele, Cretti, Silvio.  2019.  Cutting Throughput with the Edge: App-Aware Placement in Fog Computing. 2019 6th IEEE International Conference on Cyber Security and Cloud Computing (CSCloud)/ 2019 5th IEEE International Conference on Edge Computing and Scalable Cloud (EdgeCom). :196–203.

Fog computing extends cloud computing technology to the edge of the infrastructure to support dynamic computation for IoT applications. Reduced latency and location awareness in objects' data access is attained by displacing workloads from the central cloud to edge devices. Doing so, it reduces raw data transfers from target objects to the central cloud, thus overcoming communication bottlenecks. This is a key step towards the pervasive uptake of next generation IoT-based services. In this work we study efficient orchestration of applications in fog computing, where a fog application is the cascade of a cloud module and a fog module. The problem results into a mixed integer non linear optimisation. It involves multiple constraints due to computation and communication demands of fog applications, available infrastructure resources and it accounts also the location of target IoT objects. We show that it is possible to reduce the complexity of the original problem with a related placement formulation, which is further solved using a greedy algorithm. This algorithm is the core placement logic of FogAtlas, a fog computing platform based on existing virtualization technologies. Extensive numerical results validate the model and the scalability of the proposed algorithm, showing performance close to the optimal solution with respect to the number of served applications.

2019-12-30
Bazm, Mohammad-Mahdi, Lacoste, Marc, Südholt, Mario, Menaud, Jean-Marc.  2018.  Secure Distributed Computing on Untrusted Fog Infrastructures Using Trusted Linux Containers. 2018 IEEE International Conference on Cloud Computing Technology and Science (CloudCom). :239–242.
Fog and Edge computing provide a large pool of resources at the edge of the network that may be used for distributed computing. Fog infrastructure heterogeneity also results in complex configuration of distributed applications on computing nodes. Linux containers are a mainstream technique allowing to run packaged applications and micro services. However, running applications on remote hosts owned by third parties is challenging because of untrusted operating systems and hardware maintained by third parties. To meet such challenges, we may leverage trusted execution mechanisms. In this work, we propose a model for distributed computing on Fog infrastructures using Linux containers secured by Intel's Software Guard Extensions (SGX) technology. We implement our model on a Docker and OpenSGX platform. The result is a secure and flexible approach for distributed computing on Fog infrastructures.
2019-10-28
Trunov, Artem S., Voronova, Lilia I., Voronov, Vyacheslav I., Ayrapetov, Dmitriy P..  2018.  Container Cluster Model Development for Legacy Applications Integration in Scientific Software System. 2018 IEEE International Conference "Quality Management, Transport and Information Security, Information Technologies" (IT QM IS). :815–819.
Feature of modern scientific information systems is their integration with computing applications, providing distributed computer simulation and intellectual processing of Big Data using high-efficiency computing. Often these software systems include legacy applications in different programming languages, with non-standardized interfaces. To solve the problem of applications integration, containerization systems are using that allow to configure environment in the shortest time to deploy software system. However, there are no such systems for computer simulation systems with large number of nodes. The article considers the actual task of combining containers into a cluster, integrating legacy applications to manage the distributed software system MD-SLAG-MELT v.14, which supports high-performance computing and visualization of the computer experiments results. Testing results of the container cluster including automatic load sharing module for MD-SLAG-MELT system v.14. are given.
2019-03-11
Puesche, A., Bothe, D., Niemeyer, M., Sachweh, S., Pohlmann, N., Kunold, I..  2018.  Concept of Smart Building Cyber-physical Systems Including Tamper Resistant Endpoints. 2018 International IEEE Conference and Workshop in Óbuda on Electrical and Power Engineering (CANDO-EPE). :000127–000132.

Cyber-physical systems (CPS) and their Internet of Things (IoT) components are repeatedly subject to various attacks targeting weaknesses in their firmware. For that reason emerges an imminent demand for secure update mechanisms that not only include specific systems but cover all parts of the critical infrastructure. In this paper we introduce a theoretical concept for a secure CPS device update and verification mechanism and provide information on handling hardware-based security incorporating trusted platform modules (TPM) on those CPS devices. We will describe secure communication channels by state of the art technology and also integrity measurement mechanisms to ensure the system is in a known state. In addition, a multi-level fail-over concept is presented, ensuring continuous patching to minimize the necessity of restarting those systems.

2019-02-22
Novikov, A. S., Ivutin, A. N., Troshina, A. G., Vasiliev, S. N..  2018.  Detecting the Use of Unsafe Data in Software of Embedded Systems by Means of Static Analysis Methodology. 2018 7th Mediterranean Conference on Embedded Computing (MECO). :1-4.

The article considers the approach to identifying potentially unsafe data in program code of embedded systems which can lead to errors and fails in the functioning of equipment. The sources of invalid data are revealed and the process of changing the status of this data in process of static code analysis is shown. The mechanism for annotating functions that operate on unsafe data is described, which allows to control the entire process of using them and thus it will improve the quality of the output code.

2019-02-08
Ioini, N. E., Pahl, C..  2018.  Trustworthy Orchestration of Container Based Edge Computing Using Permissioned Blockchain. 2018 Fifth International Conference on Internet of Things: Systems, Management and Security. :147-154.

The need to process the verity, volume and velocity of data generated by today's Internet of Things (IoT) devices has pushed both academia and the industry to investigate new architectural alternatives to support the new challenges. As a result, Edge Computing (EC) has emerged to address these issues, by placing part of the cloud resources (e.g., computation, storage, logic) closer to the edge of the network, which allows faster and context dependent data analysis and storage. However, as EC infrastructures grow, different providers who do not necessarily trust each other need to collaborate in order serve different IoT devices. In this context, EC infrastructures, IoT devices and the data transiting the network all need to be subject to identity and provenance checks, in order to increase trust and accountability. Each device/data in the network needs to be identified and the provenance of its actions needs to be tracked. In this paper, we propose a blockchain container based architecture that implements the W3C-PROV Data Model, to track identities and provenance of all orchestration decisions of a business network. This architecture provides new forms of interaction between the different stakeholders, which supports trustworthy transactions and leads to a new decentralized interaction model for IoT based applications.

2018-11-19
Kedrowitsch, Alexander, Yao, Danfeng(Daphne), Wang, Gang, Cameron, Kirk.  2017.  A First Look: Using Linux Containers for Deceptive Honeypots. Proceedings of the 2017 Workshop on Automated Decision Making for Active Cyber Defense. :15–22.

The ever-increasing sophistication of malware has made malicious binary collection and analysis an absolute necessity for proactive defenses. Meanwhile, malware authors seek to harden their binaries against analysis by incorporating environment detection techniques, in order to identify if the binary is executing within a virtual environment or in the presence of monitoring tools. For security researchers, it is still an open question regarding how to remove the artifacts from virtual machines to effectively build deceptive "honeypots" for malware collection and analysis. In this paper, we explore a completely different and yet promising approach by using Linux containers. Linux containers, in theory, have minimal virtualization artifacts and are easily deployable on low-power devices. Our work performs the first controlled experiments to compare Linux containers with bare metal and 5 major types of virtual machines. We seek to measure the deception capabilities offered by Linux containers to defeat mainstream virtual environment detection techniques. In addition, we empirically explore the potential weaknesses in Linux containers to help defenders to make more informed design decisions.

2018-06-20
Petersen, E., To, M. A., Maag, S..  2017.  A novel online CEP learning engine for MANET IDS. 2017 IEEE 9th Latin-American Conference on Communications (LATINCOM). :1–6.

In recent years the use of wireless ad hoc networks has seen an increase of applications. A big part of the research has focused on Mobile Ad Hoc Networks (MAnETs), due to its implementations in vehicular networks, battlefield communications, among others. These peer-to-peer networks usually test novel communications protocols, but leave out the network security part. A wide range of attacks can happen as in wired networks, some of them being more damaging in MANETs. Because of the characteristics of these networks, conventional methods for detection of attack traffic are ineffective. Intrusion Detection Systems (IDSs) are constructed on various detection techniques, but one of the most important is anomaly detection. IDSs based only in past attacks signatures are less effective, even more if these IDSs are centralized. Our work focuses on adding a novel Machine Learning technique to the detection engine, which recognizes attack traffic in an online way (not to store and analyze after), re-writing IDS rules on the fly. Experiments were done using the Dockemu emulation tool with Linux Containers, IPv6 and OLSR as routing protocol, leading to promising results.

2018-05-09
Azab, M., Fortes, J. A. B..  2017.  Towards Proactive SDN-Controller Attack and Failure Resilience. 2017 International Conference on Computing, Networking and Communications (ICNC). :442–448.

SDN networks rely mainly on a set of software defined modules, running on generic hardware platforms, and managed by a central SDN controller. The tight coupling and lack of isolation between the controller and the underlying host limit the controller resilience against host-based attacks and failures. That controller is a single point of failure and a target for attackers. ``Linux-containers'' is a successful thin virtualization technique that enables encapsulated, host-isolated execution-environments for running applications. In this paper we present PAFR, a controller sandboxing mechanism based on Linux-containers. PAFR enables controller/host isolation, plug-and-play operation, failure-and-attack-resilient execution, and fast recovery. PAFR employs and manages live remote checkpointing and migration between different hosts to evade failures and attacks. Experiments and simulations show that the frequent employment of PAFR's live-migration minimizes the chance of successful attack/failure with limited to no impact on network performance.