LUP Student Papers

Anomaly detection on system audit events

• Mark

Abstract

The modern world is filled with cybersecurity risks. Current technologies like Kubernetes require extensive know-how and expertise to set up and manage in a secure manner. This has sprung up many ways to secure such environments. The Bifrost Securitys solution is one way of securing these clusters and uses AppArmor to lock down an application to the minimal needed permissions, and hence making attacks much harder. Current solutions however lacks ways to detect potential misconfigurations of unexpected behavior patterns (that may indicate an attack) during the auditing phase of determining what permissions AppArmor should allow. This thesis develops a proof-of-concept anomaly detection model using Isolation Forest, trained using behavior... (More)

The modern world is filled with cybersecurity risks. Current technologies like Kubernetes require extensive know-how and expertise to set up and manage in a secure manner. This has sprung up many ways to secure such environments. The Bifrost Securitys solution is one way of securing these clusters and uses AppArmor to lock down an application to the minimal needed permissions, and hence making attacks much harder. Current solutions however lacks ways to detect potential misconfigurations of unexpected behavior patterns (that may indicate an attack) during the auditing phase of determining what permissions AppArmor should allow. This thesis develops a proof-of-concept anomaly detection model using Isolation Forest, trained using behavior data from Bifrost Security together
with self generated synthetic data containing attacks. The model in this thesis shows promising results for known environments and is able to with an accuracy of around 95% classify both normal and abnormal behavior, and achieved an overall F1-score of 97%. Although good performance for known environments, the model show performance issues with environments with large environmental differences. This indicates that further work is needed to create a generalized model. The findings in this thesis suggests that anomaly detection on system audit events is a promising approach to enhance the security of Kubernetes clusters. (Less)

Popular Abstract

As the world has become more technical and services are moved into the cloud new challenges have risen. How should applications that are always connected to the internet be structured and how do these applications remain secure. The current industry standard relies on a technology called Kubernetes, which helps orchestrate multiple applications at once. When configured correctly this allows for efficient resource management and easier developments cycles. A problem with this technology however is the set up process, which requires extensive know how and where misconfigurations could lead to severe security risks. To mitigate the security risks that comes with this technology many different solutions have sprung up, with different takes on... (More)

As the world has become more technical and services are moved into the cloud new challenges have risen. How should applications that are always connected to the internet be structured and how do these applications remain secure. The current industry standard relies on a technology called Kubernetes, which helps orchestrate multiple applications at once. When configured correctly this allows for efficient resource management and easier developments cycles. A problem with this technology however is the set up process, which requires extensive know how and where misconfigurations could lead to severe security risks. To mitigate the security risks that comes with this technology many different solutions have sprung up, with different takes on how to best secure these environments with as small overhead as possible . This thesis investigates how the Bifrost Securitys AppArmor solution can be enhanced using anomaly detection.

The goal of AppArmor is to define a set of rules for which permissions an application is allowed to use and then block all other actions. One shortcoming of AppArmor is that it needs the defined rules to function in a reliable manner. This is where Bifrost Security comes in, which is dynamically able to audit behavior of applications running in Kubernetes clusters, and then specify a rule set based on the seen behavior of that application. This enables easy configuration of the AppArmor rules and allows companies to lock down their applications to their minimal needed permissions. This reduces the risk of misconfiguration, but it still requires a secure environment running during the Bifrost Security audit. Any actions the application perform s during the auditing will later be allowed behavior.

This thesis aims to make this initial auditing step more secure and potentially be an additional security layer to the security solution provided by Bifrost Security. This will be done using anomaly detection with Isolation Forest. The idea of anomaly detection is to teach the model what normal behavior looks like, and for the model to then be able to flag behavior that deviates from what is expected normal data. This means that flagged behavior is not necessarily bad behavior, the behavior is just not normal. This also means that the model does not know if abnormal behavior is an attack, misconfiguration or something else.

To train this model, normal behavior data from Bifrost Security is used, and to test how well the model is at distinguishing between normal and abnormal behavior, it is tested against a synthetically generated dataset with both normal and abnormal behavior. Furthermore, the model is tested by excluding known normal behavior from its training data and then use this data to test the model against. The goal of this is to determine how general the model is able to be, is it able to identify normal behavior on previously unseen application configurations.

The results from these tests indicate that the model is able to distinct between normal and abnormal behavior 95% of the time, when the model previously has seen similar applications and their normal behavior. However for completely new applications, the model struggled and performed poorly.

We believe that this approach could be useful during the auditing phase of Bifrost Securitys solution, as well as a potential extra security layer for known applications. Further work is needed to generalize the model, to make it able to work for entirely new environments. (Less)