Applications containers security model
Keywords:application, container, security, intrusion detection, intrusion detection system, system call
It has been established the purpose of container environments for the development, delivery and operation of various types of the software applications. The web and mobile applications have the most widespread use. This is due to the container media’s emphasis on quick loading and installation. Using this method, you can think of the infrastructure as a code and get the benefits associated with it. First of foremost, accelerate the development of software applications, particularly reducing the time between their conception and launch. This is facilitated by the use of download utilities, the deployment of container environments on container virtualization platforms, and the management of software applications. Despite this, the necessity to secure the security of software programs limits the adoption of container systems in practice. This is primarily due to the use of standard approaches based on intrusion detection systems. Features of container environments in relation to real settings were overlooked when they were first introduced. Taking into account the vulnerabilities and dangers of container virtualization platforms, as well as monitoring the processes of container environments given the unique architecture and input load flow, it is important to keep in mind that there are only a few of them. A model for assuring the security of container environments of software programs is proposed to overcome the difficulties of employing intrusion detection systems. It is based on the idea of using system calls of the host system on the example of the Linux operating system. This is because they allow the software applications to interact with the kernel. As a result, users have been identified as the sources of probable intrusions into container environments. Additionally, there are examples of atypical commands for analysis during the execution of system calls. Based on the obtained results, it has been distinguished the stages of intrusion detection and transitions between them. As a result, the Petri net is used to formalize this process. During the intrusion detection, it has been defined by the numerous sets of stages, transitions between stages, relations between stages, and transitions.As a result of the suggested approach, the security aspects of container environments for software applications are possible to be established.
Best Practices for Running Containers and Kubernetes in Production. [Online]. Available: https://www.gartner.com/en/documents/3902966/best-practices-for-running-containers-and-kubernetes-in-. Accessed on: Dec. 14, 2019.
Container Adoption Survey. [Online]. Available: https://portworx.com/wp-content/uploads/2019/05/2019-container-adoption-survey.pdf. Accessed on: Dec. 14, 2019.
D. N. Tyazhelnikov, P. A. Tokarev, and I. D. Petrov, “Virtualization of the workspace with the acceleration of 3D applications on the server side using Docker”, Problems of Modern Science and Education, no. 14, pp. 21-23, 2017.
Infrastructure as Code. [Оnline]. Аvailable: https://infrastructure-as-code.com/. Accessed on: Dec. 14, 2019.
A. R. Sampaio, J. Rubin, Beschastnikh, N. S. Roca, “Improving microservice-based applications with runtime placement adaptation”, The Journal of Supercomputing, vol. 10, no. 4, pp. 1-30, 2019, doi: https://doi.org/10.1186/s13174-019-0104-0.
A. Milenkoski, K. R. Jayaram, and S. Kounev, “Benchmarking Intrusion Detection Systems with Adaptive Provisioning of Virtualized Resources”, in Self-Aware Computing Systems, pp. 633-657, 2017, doi: https://doi.org/10.1007/978-3-319-47474-8_22.
I. Rosenberg, and E. Gudes, “Evading System-Calls Based Intrusion Detection Systems. Network and System Security”, in Proc. International Conference on Network and System Security, Taipei, Taiwan, 2016, pp. 200-216, doi: https://doi.org/10.1007/978-3-319-46298-1_14.
National Institute of Standards and Technology. (2007, Febr. 20). NIST SP 800-94, Guide to Intrusion Detection and Prevention Systems. [Online]. Available: https://csrc.nist.gov/publications/detail/sp/800-94/final. Accessed on: Dec 10, 2019.
International Organization for Standardization. (2015, Febr. 11). ISO/IEC 27039, Information technology. Security techniques. Selection, deployment and operation of intrusion detection and prevention systems. [Online]. Available: https://www.iso.org/standard/56889.html. Accessed on: Dec 10, 2019.
PCI Security Standards Council. (2018, May 01). Payment Card Industry Data Security Standard. [Online]. Available: https://ru.pcisecuritystandards.org/_onelink_/pcisecurity/en2ru/minisite/en/docs/PCI_DSS_v3_2_RU-RU_Final.pdf. Accessed on: Dec 10, 2019.
M. Aldwairi, A. M. Abu-Dalo, and M. Jarrah, “Pattern matching of signature-based IDS using Myers algorithm under MapReduce framework”, EURASIP Journal on Information Security, 2017:9, 2017, doi: https://doi.org/10.1186/s13635-017-0062-7.
V. Mishra, V. K. Vijay, and S. Tazi, “Intrusion Detection System with Snort in Cloud Computing: Advanced IDS”, in Proc. of International Conference on ICT for Sustainable Development, Washington, USA, 2016, pp.457-465.
A. Belova, and D. Borodavkin, “Comparative analysis of intrusion detection systems”, Actual problems of aviation and astronautics, Siberian Federal University, vol. 1, no. 12, pp. 742-744, 2016.
W. Park, and S. Ahn, “Performance Comparison and Detection Analysis in Snort and Suricata Environment”, Wireless Pers Commun, no. 94, pp. 241-252, 2016, doi: https://doi.org/10.1007/s11277-016-3209-9.
M. Sourour, B. Adel, and A. Tarek, “Network Security Alerts Management Architecture for Signature-Based Intrusions Detection Systems within a NAT Environment”, Journal of Network and Systems Management, no. 19, pp. 472-495, 2011, doi: https://doi.org/10.1007/s10922-010-9195-4.
Snort and SSL/TLS Inspection, 2017. [Online]. Available: https://www.sans.org/reading-room/whitepapers/detection/snort-ssl-tls-inspection-37735. Accessed on: Dec 10, 2019.
Docker overview, 2020. [Online]. Available: https://docs.docker.com/get-started/overview. Accessed on: Dec 10, 2019.
A. Mouat, Using Docker, Using Docker: Developing and Deploying Software with Containers. Newton, USA: O’Reilly Media, 2015.
H. Abbes, T. Louati, and C. Cerin, “Dynamic replication factor model for Linux containers-based cloud systems”, Journal of Supercomputing, no. 76, pp 7219-7241, 2020, doi: https://doi.org/10.1007/s11227-020-03158-5.
R. Baclit, C. Sicam, P. Membrey, and J. Newbigin, “The Linux Kernel”, in Foundations of CentOS Linux. California, USA: Apress, 2009, pp. 415-434.
M. Bagherzadeh, N. Kahani, and C.P. Bezemer, “Analyzing a decade of Linux system calls”, Empirical Software Engineering, no. 23, pp. 1519-1551, 2018, doi: https://doi.org/10.1007/s10664-017-9551-z.
Using eBPF in Kubernetes. [Online]. Available: https://kubernetes.io/blog/2017/12/using-ebpf-in-kubernetes. Accessed on: Dec 10, 2019.
Linux System Call Table. [Online]. Available: https://thevivekpandey.github.io/posts/2017-09-25-linux-system-calls.html. Accessed on: Dec 10, 2019.
S. Adameit, “Modelling Distributed Network Security in a Petri Net- and Agent-Based Approach”, in Lecture Notes in Computer Science, vol. 6251. Berlin, Germany: Springer, 2010, pp. 209-220, doi: https://doi.org/10.1007/978-3-642-16178-0_20.
How to Cite
Copyright (c) 2020 Information technology and security
This work is licensed under a Creative Commons Attribution 4.0 International License.
The authors that are published in this collection, agree to the following terms:
- The authors reserve the right to authorship of their work and pass the collection right of first publication this work is licensed under the Creative Commons Attribution License, which allows others to freely distribute the published work with the obligatory reference to the authors of the original work and the first publication of the work in this collection.
- The authors have the right to conclude an agreement on exclusive distribution of the work in the form in which it was published this anthology (for example, to place the work in a digital repository institution or to publish in the structure of the monograph), provided that references to the first publication of the work in this collection.
- Policy of the journal allows and encourages the placement of authors on the Internet (for example, in storage facilities or on personal web sites) the manuscript of the work, prior to the submission of the manuscript to the editor, and during its editorial processing, as it contributes to productive scientific discussion and positive effect on the efficiency and dynamics of citations of published work (see The Effect of Open Access).