Abstract

A large-scale cluster of containers managed with an orchestrator like Kubernetes is behind many cloud-native applications today. However, the weaker isolation provided by containers means attackers can potentially exploit a vulnerable container and then escape its isolation to cause more severe damage to the underlying infrastructure and its hosted applications. Besides, Kubernetes reportedly suffers from security vulnerabilities and misconfigurations which may lead to severe security threats.
Defending against such an attack using existing attack detection solutions can be challenging. Due to the well-known high false positive rate of such solutions, taking aggressive actions upon every alert can lead to unacceptable service disruption. On the other hand, waiting for security administrators to perform in-depth analysis and validation could render the mitigation too late to prevent irreversible damages, e.g., denial of service. In this thesis, we propose WARP, a cost-effective framework to proactive and non-disruptive attack mitigation to address such security challenges for Kubernetes clusters. First, our framework is proactive in the sense that it performs mitigation based on predicted (instead of real) attacks, which prevents irreversible damages. Second, our mitigation framework is designed to be non-disruptive and it is achieved through live migration of containers, which causes no service disruption even in the case of false positives. Finally, to realize the full potential of this framework in containers migration, we formulate the inherent tradeoff between security and cost (delay) as a multi-objective optimization problem and propose a heuristic algorithm to efficiently achieve a high level of threat reduction with minimal imposed delay. We implement and integrate WARP based on Kubernetes as the most popular container orchestration platform. Our evaluation results show that WARP can successfully mitigate up to 81% of the attacks, and our heuristic algorithm achieves up to 30% more threat reduction and 7% less delay while being 37 times faster compared to a standard optimization solution.