Container Escape Detection for Edge Devices

James Pope; Francesco Raimondo; Vijay Kumar; Ryan McConville; Robert J Piechocki; George Oikonomou; Thomas Paquier; Bo Luo; Dan Howarth; Ioannis Mavromatis; Pietro E Carnelli; Adrian Sanchez-Mompo; Theodoros Spyridopoulos; Aftab Khan

doi:10.1145/3485730.3494114

Container Escape Detection for Edge Devices

James Pope, Francesco Raimondo, Vijay Kumar, Ryan McConville, Robert J Piechocki, George Oikonomou, Thomas Paquier, Bo Luo, Dan Howarth, Ioannis Mavromatis, Pietro E Carnelli, Adrian Sanchez-Mompo, Theodoros Spyridopoulos, Aftab Khan

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

9 Citations (Scopus)

552 Downloads (Pure)

Abstract

Edge computing is rapidly changing the IoT-Cloud landscape. Various testbeds are now able to run multiple Docker-like containers developed and deployed by end-users on edge devices. However, this capability may allow an attacker to deploy a malicious container on the host and compromise it. This paper presents a dataset based on the Linux Auditing System, which contains malicious and benign container activity. We developed two malicious scenarios, a denial of service and a privilege escalation attack, where an adversary uses a container to compromise the edge device. Furthermore, we deployed benign user containers to run in parallel with the malicious containers. Container activity can be captured through the host system via system calls. Our time series auditd dataset contains partial labels for the benign and malicious related system calls. Generating the dataset is largely automated using a provided AutoCES framework. We also present a semi-supervised machine learning use case with the collected data to demonstrate its utility. The dataset and framework code are open-source and publicly available.

Original language	English
Title of host publication	SenSys '21
Subtitle of host publication	Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems
Place of Publication	New York
Publisher	Association for Computing Machinery (ACM)
Pages	532-536
Number of pages	5
ISBN (Electronic)	978-145039097-2
DOIs	https://doi.org/10.1145/3485730.3494114
Publication status	Published - 15 Nov 2021
Event	19th ACM Conference on Embedded Networked Sensor Systems - Coimbra, Portugal Duration: 15 Nov 2021 → 17 Nov 2021

Conference

Conference	19th ACM Conference on Embedded Networked Sensor Systems
Abbreviated title	SenSys 2021
Country/Territory	Portugal
City	Coimbra
Period	15/11/21 → 17/11/21

Bibliographical note

Funding Information:
This work was supported by UK Research and Innovation, Innovate UK [grant number 53707].

Publisher Copyright:
© 2021 Association for Computing Machinery.

Research Groups and Themes

Cyber Security

Keywords

Datasets
Container Escape
Anomaly Detection
Cybersecurity

Access to Document

10.1145/3485730.3494114

Full-text PDF (accepted manuscript)
This is the accepted author manuscript (AAM). The final published version (version of record) is available online via Association for Computing Machinery (ACM) at 10.1145/3485730.3494114. Please refer to any applicable terms of use of the publisher.
Accepted author manuscript, 1.11 MBLicence: CC BY

Handle.net

Persistent link

9 Citations
1 Chapter in a book

Intrusion Detection at the IoT Edge Using Federated Learning
Pope, J., Spyridopoulos, T., Kumar, V., Raimondo, F., Gunner, S. D., Oikonomou, G., Pasquier, T., McConville, R., Carnelli, P., Sanchez-Mompo, A., Mavrommatis, I. & Khan, A., 29 Oct 2024, Security and Privacy in Smart Environments. Pitropakis, N. & Katsikas, S. (eds.). Springer Nature Switzerland, Vol. 14800. p. 98-119 22 p. (Lecture Notes in Computer Science; vol. 14800).
Research output: Chapter in Book/Report/Conference proceeding › Chapter in a book

1 Finished

SYNERGIA: 8031 SYNERGIA 53707
Oikonomou, G. (Principal Investigator), Piechocki, R. J. (Co-Investigator), Paquier, T. (Co-Investigator), McConville, R. (Co-Investigator), Pope, J. (Co-Investigator), Raimondo, F. (Researcher), Erol, U. (Researcher), Paschou, C. (Researcher), Zakrzewski, R. (Researcher) & Gunner, S. D. (Researcher)
1/11/20 → 31/10/22
Project: Research

Cite this

Pope, J., Raimondo, F., Kumar, V., McConville, R., Piechocki, R. J., Oikonomou, G., Paquier, T., Luo, B., Howarth, D., Mavromatis, I., Carnelli, P. E., Sanchez-Mompo, A., Spyridopoulos, T., & Khan , A. (2021). Container Escape Detection for Edge Devices. In SenSys '21: Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems (pp. 532-536). Association for Computing Machinery (ACM). https://doi.org/10.1145/3485730.3494114

@inproceedings{7aee4bb3387742e0b7f859c7e35c7c02,

title = "Container Escape Detection for Edge Devices",

abstract = "Edge computing is rapidly changing the IoT-Cloud landscape. Various testbeds are now able to run multiple Docker-like containers developed and deployed by end-users on edge devices. However, this capability may allow an attacker to deploy a malicious container on the host and compromise it. This paper presents a dataset based on the Linux Auditing System, which contains malicious and benign container activity. We developed two malicious scenarios, a denial of service and a privilege escalation attack, where an adversary uses a container to compromise the edge device. Furthermore, we deployed benign user containers to run in parallel with the malicious containers. Container activity can be captured through the host system via system calls. Our time series auditd dataset contains partial labels for the benign and malicious related system calls. Generating the dataset is largely automated using a provided AutoCES framework. We also present a semi-supervised machine learning use case with the collected data to demonstrate its utility. The dataset and framework code are open-source and publicly available.",

keywords = "Datasets, Container Escape, Anomaly Detection, Cybersecurity",

author = "James Pope and Francesco Raimondo and Vijay Kumar and Ryan McConville and Piechocki, {Robert J} and George Oikonomou and Thomas Paquier and Bo Luo and Dan Howarth and Ioannis Mavromatis and Carnelli, {Pietro E} and Adrian Sanchez-Mompo and Theodoros Spyridopoulos and Aftab Khan",

note = "Funding Information: This work was supported by UK Research and Innovation, Innovate UK [grant number 53707]. Publisher Copyright: {\textcopyright} 2021 Association for Computing Machinery.; 19th ACM Conference on Embedded Networked Sensor Systems, SenSys 2021 ; Conference date: 15-11-2021 Through 17-11-2021",

year = "2021",

month = nov,

day = "15",

doi = "10.1145/3485730.3494114",

language = "English",

pages = "532--536",

booktitle = "SenSys '21",

publisher = "Association for Computing Machinery (ACM)",

address = "United States",

}

Pope, J , Raimondo, F, Kumar, V, McConville, R , Piechocki, RJ , Oikonomou, G, Paquier, T, Luo, B, Howarth, D, Mavromatis, I, Carnelli, PE, Sanchez-Mompo, A, Spyridopoulos, T & Khan , A 2021, Container Escape Detection for Edge Devices. in SenSys '21: Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems. Association for Computing Machinery (ACM), New York, pp. 532-536, 19th ACM Conference on Embedded Networked Sensor Systems, Coimbra, Portugal, 15/11/21. https://doi.org/10.1145/3485730.3494114

Container Escape Detection for Edge Devices. / Pope, James ; Raimondo, Francesco; Kumar, Vijay et al.
SenSys '21: Proceedings of the 19th ACM Conference on Embedded Networked Sensor Systems. New York: Association for Computing Machinery (ACM), 2021. p. 532-536.

Research output: Chapter in Book/Report/Conference proceeding › Conference Contribution (Conference Proceeding)

TY - GEN

T1 - Container Escape Detection for Edge Devices

AU - Pope, James

AU - Raimondo, Francesco

AU - Kumar, Vijay

AU - McConville, Ryan

AU - Piechocki, Robert J

AU - Oikonomou, George

AU - Paquier, Thomas

AU - Luo, Bo

AU - Howarth, Dan

AU - Mavromatis, Ioannis

AU - Carnelli, Pietro E

AU - Sanchez-Mompo, Adrian

AU - Spyridopoulos, Theodoros

AU - Khan , Aftab

PY - 2021/11/15

Y1 - 2021/11/15

N2 - Edge computing is rapidly changing the IoT-Cloud landscape. Various testbeds are now able to run multiple Docker-like containers developed and deployed by end-users on edge devices. However, this capability may allow an attacker to deploy a malicious container on the host and compromise it. This paper presents a dataset based on the Linux Auditing System, which contains malicious and benign container activity. We developed two malicious scenarios, a denial of service and a privilege escalation attack, where an adversary uses a container to compromise the edge device. Furthermore, we deployed benign user containers to run in parallel with the malicious containers. Container activity can be captured through the host system via system calls. Our time series auditd dataset contains partial labels for the benign and malicious related system calls. Generating the dataset is largely automated using a provided AutoCES framework. We also present a semi-supervised machine learning use case with the collected data to demonstrate its utility. The dataset and framework code are open-source and publicly available.

AB - Edge computing is rapidly changing the IoT-Cloud landscape. Various testbeds are now able to run multiple Docker-like containers developed and deployed by end-users on edge devices. However, this capability may allow an attacker to deploy a malicious container on the host and compromise it. This paper presents a dataset based on the Linux Auditing System, which contains malicious and benign container activity. We developed two malicious scenarios, a denial of service and a privilege escalation attack, where an adversary uses a container to compromise the edge device. Furthermore, we deployed benign user containers to run in parallel with the malicious containers. Container activity can be captured through the host system via system calls. Our time series auditd dataset contains partial labels for the benign and malicious related system calls. Generating the dataset is largely automated using a provided AutoCES framework. We also present a semi-supervised machine learning use case with the collected data to demonstrate its utility. The dataset and framework code are open-source and publicly available.

KW - Datasets

KW - Container Escape

KW - Anomaly Detection

KW - Cybersecurity

U2 - 10.1145/3485730.3494114

DO - 10.1145/3485730.3494114

M3 - Conference Contribution (Conference Proceeding)

SP - 532

EP - 536

BT - SenSys '21

PB - Association for Computing Machinery (ACM)

CY - New York

T2 - 19th ACM Conference on Embedded Networked Sensor Systems

Y2 - 15 November 2021 through 17 November 2021

ER -

Container Escape Detection for Edge Devices

Abstract

Conference

Bibliographical note

Research Groups and Themes

Keywords

Access to Document

Handle.net

Fingerprint

Research output

Intrusion Detection at the IoT Edge Using Federated Learning

Projects

SYNERGIA: 8031 SYNERGIA 53707

Cite this