Go to DBLP homepageConProv: A Container-Aware Provenance System for Attack Investigation
Abstract: With high resource utilization and flexibility, containers have gained widespread adoption across various computing environments. However, container security has emerged as a primary concern as container-based services grow rapidly. Identifying intrusions’ root cause and impact remains a foundational challenge in container security. Provenance reflects the causal relationships of events, which can significantly aid security personnel in analyzing container attacks. Despite existing provenance-based solutions providing extensive system information, there remains a lack of provenance systems specifically focused on container security. We present ConProv, which offers concise and precise provenance analysis of in--container activities, making it highly suitable for container security investigations. Through our analysis of container escape attack techniques, it is found that most attacks are caused by excessive permissions and incomplete file subsystem isolation. Based on this insight, we identified the key role that capabilities and file path attributes play in container provenance, which helps guide investigators to pinpoint suspicious events quickly. We developed a prototype implementation of ConProv and designed methods to capture these essential attributes accurately. Our evaluation shows that ConProv outperforms existing provenance systems in container attack investigations while incurring low overhead (<10%).
External IDs:dblp:conf/acsac/DengZ0T024
Loading