Visible to the public A Study on Container Vulnerability Exploit Detection

TitleA Study on Container Vulnerability Exploit Detection
Publication TypeConference Paper
Year of Publication2019
AuthorsTunde-Onadele, Olufogorehan, He, Jingzhu, Dai, Ting, Gu, Xiaohui
Conference Name2019 IEEE International Conference on Cloud Engineering (IC2E)
Keywordsanomaly detection, cloud computing, cloud computing infrastructures, compositionality, Container Security, container vulnerability exploit detection, Containers, Databases, Docker Images, dynamic anomaly detection scheme, dynamic vulnerability attack detection schemes, feature extraction, Heuristic algorithms, Human Behavior, image processing, learning (artificial intelligence), machine learning, Metrics, pubcrawl, Resiliency, security, security of data, static vulnerability attack detection schemes, Tools, vulnerability detection
AbstractContainers have become increasingly popular for deploying applications in cloud computing infrastructures. However, recent studies have shown that containers are prone to various security attacks. In this paper, we conduct a study on the effectiveness of various vulnerability detection schemes for containers. Specifically, we implement and evaluate a set of static and dynamic vulnerability attack detection schemes using 28 real world vulnerability exploits that widely exist in docker images. Our results show that the static vulnerability scanning scheme only detects 3 out of 28 tested vulnerabilities and dynamic anomaly detection schemes detect 22 vulnerability exploits. Combining static and dynamic schemes can further improve the detection rate to 86% (i.e., 24 out of 28 exploits). We also observe that the dynamic anomaly detection scheme can achieve more than 20 seconds lead time (i.e., a time window before attacks succeed) for a group of commonly seen attacks in containers that try to gain a shell and execute arbitrary code.
Citation Keytunde-onadele_study_2019