<div>
	Enhancing Kubernetes security with machine learning: а proactive approach to anomaly detection</div>

Ghadeer Darwesh , Hammoud Jaafar , Vorobeva Alisa A.

2024 , VOLUME 24, NUMBER 6 ( november-december )

ISSN 2226-1494 (print), ISSN 2500-0373 (online)

Publications

Editor-in-Chief

Nikiforov
Vladimir O.
D.Sc., Prof.

Partners

doi: 10.17586/2226-1494-2024-24-6-1007-1015

Enhancing Kubernetes security with machine learning: а proactive approach to anomaly detection

G. Darwesh, H. Jaafar, A. A. Vorobeva

Read the full article

Article in English

For citation:

Darwesh G., Hammoud J., Vorobeva A.A. Enhancing Kubernetes security with machine learning: а proactive approach to anomaly detection. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2024, vol. 24, no. 6, pp. 1007–1015. doi: 10.17586/2226-1494-2024-24-6-1007-1015

Abstract

Kubernetes has become a cornerstone of modern software development enabling scalable and efficient deployment of microservices. However, this scalability comes with significant security challenges, particularly in detecting specific attack types within dynamic and ephemeral environments. This study presents a focused application of Machine Learning (ML) techniques to enhance security in Kubernetes by detecting Denial of Service (DoS) attacks and differentiating between DoS attacks, resource overload caused by attacks, and natural resource overloads. We developed a custom monitoring agent that collects telemetry data from various sources, including real-world workloads, actual attack scenarios, simulated hacking attempts, and induced overloading on containers and pods, ensuring comprehensive coverage. The dataset comprising these diverse sources was meticulously labeled and preprocessed, including normalization and temporal analysis. We employed and evaluated various ML classifiers, with Random Forest and AdaBoost emerging as the top performers, achieving F1 macro scores of 0.9990 ± 0.0006 and 0.9990 ± 0.0003, respectively. The novelty of our approach lies in its ability to accurately distinguish between different types of resource overloads and provide robust detection of DoS attacks within Kubernetes environments. These models demonstrated a high degree of accuracy in detecting security incidents, significantly reducing false positives and false negatives. Our findings highlight the potential of ML models to provide a targeted, proactive security framework for Kubernetes, offering robust protection against specific attack vectors while maintaining system reliability.

Keywords: Kubernetes security, microservices, machine learning, anomaly detection, containerization, cybersecurity, telemetry data, real-time threat detection

References

Nobre J., Pires E.J., Reis A. Anomaly detection in microservice-based systems. Applied Sciences, 2023, vol. 13, no. 13, pp. 7891. https://doi.org/10.3390/app13137891
De Lauretis L. From monolithic architecture to microservices architecture. Proc. of the 2019 IEEE International Symposium on Software Reliability Engineering Workshops (ISSREW), 2019, pp. 93–96. https://doi.org/10.1109/issrew.2019.00050
Darwesh G., Hammoud J., Vorobeva A.A. A novel approach to feature collection for anomaly detection in Kubernetes environment and agent for metrics collection from Kubernetes nodes. Scientific and Technical Journal of Information Technologies, Mechanics and Optics, 2023, vol. 23, no. 3, pp. 538–546. https://doi.org/10.17586/2226-1494-2023-23-3-538-546
Ghadeer D., Jaafar H., Vorobeva A.A. Security in kubernetes: best practices and security analysis. Vestnik UrFO. Security in the Information Sphere, 2022, no. 2(44), pp. 63–69.
Jacob S., Qiao Y., Ye Y., Lee B. Anomalous distributed traffic: Detecting cyber security attacks amongst microservices using graph convolutional networks. Computers & Security, 2022, vol. 118, pp. 102728. https://doi.org/10.1016/j.cose.2022.102728
Peralta-Garcia E., Quevedo-Monsalbe J., Tuesta-Monteza V., Arcila-Diaz J. Detecting structured query language injections in web microservices using machine learning. Informatics, 2024, vol. 11, no. 2, pp. 15. https://doi.org/10.3390/informatics11020015
Vinayakumar R., Alazab M., Soman K.P., Poornachandran P., Al-Nemrat A., Venkatraman S. Deep learning approach for intelligent intrusion detection system. IEEE Access, 2019, vol. 7, pp. 41525–41550. https://doi.org/10.1109/ACCESS.2019.2895334
Zhang L., Cushing R., de Laat C., Grosso P. A real-time intrusion detection system based on OC-SVM for containerized applications. Proc. of the 2021 IEEE 24^th International Conference on Computational Science and Engineering (CSE), 2021, pp. 138–145. https://doi.org/10.1109/cse53436.2021.00029
Raj P., Vanga S., Chaudhary A. Cloud-Native Computing: How to Design, Develop, and Secure Microservices and Event-Driven Applications. John Wiley & Sons, 2022,352 p.
Torkura K.A., Sukmana M.I.H., Meinel C. Integrating continuous security assessments in microservices and cloud native applications. Proc. of the 10^th International Conference on Utility and Cloud Computing, (UCC’17), 2017, pp. 171–180. https://doi.org/10.1145/3147213.3147229
Abed A.S., Clancy C., Levy D.S. Intrusion detection system for applications using linux containers. Lecture Notes in Computer Science, 2015, vol. 9331, pp. 123–135. https://doi.org/10.1007/978-3-319-24858-5_8
Zou Z., Xie Y., Huang K., Xu G., Feng D., Long D. A docker container anomaly monitoring system based on optimized isolation forest. IEEE Transactions on Cloud Computing, 2022, vol. 10, no. 1, pp. 134–145. https://doi.org/10.1109/tcc.2019.2935724
Srinivasan S., Kumar A., Mahajan M., Sitaram D., Gupta S. Probabilistic real-time intrusion detection system for docker containers. Communications in Computer and Information Science, 2019, vol. 969, pp. 336–347. https://doi.org/10.1007/978-981-13-5826-5_26
Cavalcanti M., Inacio P., Freire M. Performance evaluation of container-level anomaly-based intrusion detection systems for multi-tenant applications using machine learning algorithms. Proc. of the 16^th International Conference on Availability, Reliability and Security (ARES’21), 2021, pp. 1–9. https://doi.org/10.1145/3465481.3470066
Flora J., Gonçalves P., Antunes N. Using attack injection to evaluate intrusion detection effectiveness in container-based systems. Proc. of the IEEE 25^th Pacific Rim International Symposium on Dependable Computing (PRDC), 2020, pp. 60–69. https://doi.org/10.1109/prdc50213.2020.00017
Tunde-Onadele O., He J., Dai T., Gu X. A study on container vulnerability exploit detection. Proc. of the IEEE International Conference on Cloud Engineering (IC2E), 2019, pp. 121–127. https://doi.org/10.1109/ic2e.2019.00026
Lin Y., Tunde-Onadele O., Gu X. CDL: Classified distributed learning for detecting security attacks in containerized applications. Proc. of the 36^th Annual Computer Security Applications Conference (ACSAC’20), 2020, pp. 179–188. https://doi.org/10.1145/3427228.3427236
Huang L., Ma D., Li S., Zhang X., Wang H. Text level graph neural network for text classification. Proc. of the 2019 Conference on Empirical Methods in Natural Language Processing and the 9^th International Joint Conference on Natural Language Processing (EMNLP-IJCNLP), 2019, pp. 3444–3450. https://doi.org/10.18653/v1/d19-1345
Haq M.S., Nguyen T.D., Tosun A.S., Vollmer F., Korkmaz T., Sadeghi A.-R. SoK: A comprehensive analysis and evaluation of docker container attack and defense mechanisms. Proc. of the IEEE Symposium on Security and Privacy (SP), 2024, pp. 4573–4590. https://doi.org/10.1109/sp54263.2024.00268
Pedregosa F., Varoquaux G., Gramfort A., Michel V., Thirion B., Grisel O., Blondel M., Prettenhofer P., Weiss R., Dubourg V., Vanderplas J., Passos A., Cournapeau D., Brucher M., Perrot M., Duchesnay É. Scikit-learn: Machine learning in Python. Journal of Machine Learning Research, 2011, vol. 12, pp. 2825–2830.

This work is licensed under a Creative Commons Attribution-NonCommercial 4.0 International License