KubeFuzzer:Automating RESTful API Vulnerability Detection in Kubernetes

RESTful API fuzzing is a promising method for automated vulnerability detection in Kubernetes platforms.Existing tools struggle with generating lengthy,high-semantic request sequences that can pass Kubernetes API gateway checks.To address this,we propose KubeFuzzer,a black-box fuzzing tool designed for Kubernetes RESTful APIs.KubeFuzzer utilizes Natural Language Processing(NLP)to extract and integrate semantic information from API specifications and response messages,guiding the generation of more effective request sequences.Our evaluation of KubeFuzzer on various Kubernetes clusters shows that it improves code coverage by 7.86%to 36.34%,increases the successful response rate by 6.7%to 83.33%,and detects 16.7%to 133.3%more bugs compared to three leading techniques.KubeFuzzer identified over 1000 service crashes,which were narrowed down to 7 unique bugs.We tested these bugs on 10 real-world Kubernetes projects,including major providers like AWS(EKS),Microsoft Azure(AKS),and Alibaba Cloud(ACK),and confirmed that these issues could trigger service crashes.We have reported and confirmed these bugs with the Kubernetes community,and they have been addressed.

Detecting APT-Exploited Processes through Semantic Fusion and Interaction Prediction

Considering the stealthiness and persistence of Advanced Persistent Threats(APTs),system audit logs are leveraged in recent studies to construct system entity interaction provenance graphs to unveil threats in a host.Rule-based provenance graph APT detection approaches require elaborate rules and cannot detect unknown attacks,and existing learning-based approaches are limited by the lack of available APT attack samples or generally only perform graph-level anomaly detection,which requires lots of manual efforts to locate attack entities.This paper proposes an APT-exploited process detection approach called ThreatSniffer,which constructs the benign provenance graph from attack-free audit logs,fits normal system entity interactions and then detects APT-exploited processes by predicting the rationality of entity interactions.Firstly,ThreatSniffer understands system entities in terms of their file paths,interaction sequences,and the number distribution of interaction types and uses the multi-head self-attention mechanism to fuse these semantics.Then,based on the insight that APT-exploited processes interact with system entities they should not invoke,ThreatSniffer performs negative sampling on the benign provenance graph to generate non-existent edges,thus characterizing irrational entity interactions without requiring APT attack samples.At last,it employs a heterogeneous graph neural network as the interaction prediction model to aggregate the contextual information of entity interactions,and locate processes exploited by attackers,thereby achieving fine-grained APT detection.Evaluation results demonstrate that anomaly-based detection enables ThreatSniffer to identify all attack activities.Compared to the node-level APT detection method APT-KGL,ThreatSniffer achieves a 6.1%precision improvement because of its comprehensive understanding of entity semantics.

Enhancing the Trustworthiness of 6G Based on Trusted Multi-Cloud Infrastructure:A Practice of Cryptography Approach

Due to the need for massive device connectivity,low communication latency,and various customizations in 6G architecture,a distributed cloud deployment approach will be more relevant to the space-air-ground-sea integrated network scenario.However,the openness and heterogeneity of the 6G network cause the problems of network security.To improve the trustworthiness of 6G networks,we propose a trusted computing-based approach for establishing trust relationships inmulti-cloud scenarios.The proposed method shows the relationship of trust based on dual-level verification.It separates the trustworthy states of multiple complex cloud units in 6G architecture into the state within and between cloud units.Firstly,SM3 algorithm establishes the chain of trust for the system’s trusted boot phase.Then,the remote attestation server(RAS)of distributed cloud units verifies the physical servers.Meanwhile,the physical servers use a ring approach to verify the cloud servers.Eventually,the centralized RAS takes one-time authentication to the critical evidence information of distributed cloud unit servers.Simultaneously,the centralized RAS also verifies the evidence of distributed RAS.We establish our proposed approach in a natural OpenStack-based cloud environment.The simulation results show that the proposed method achieves higher security with less than a 1%system performance loss.

NCCMF:Non-Collaborative Continuous Monitoring Framework for Container-Based Cloud Runtime Status

The security performance of cloud services is a key factor influencing users’selection of Cloud Service Providers(CSPs).Continuous monitoring of the security status of cloud services is critical.However,existing research lacks a practical framework for such ongoing monitoring.To address this gap,this paper proposes the first NonCollaborative Container-Based Cloud Service Operation State Continuous Monitoring Framework(NCCMF),based on relevant standards.NCCMF operates without the CSP’s collaboration by:1)establishing a scalable supervisory index system through the identification of security responsibilities for each role,and 2)designing a Continuous Metrics Supervision Protocol(CMA)to automate the negotiation of supervisory metrics.The framework also outlines the supervision process for cloud services across different deployment models.Experimental results demonstrate that NCCMF effectively monitors the operational state of two real-world IoT(Internet of Things)cloud services,with an average supervision error of less than 15%.

PIMS:An Efficient Process Integrity Monitoring System Based on Blockchain and Trusted Computing in Cloud-Native Context

With the advantages of lightweight and high resource utilization,cloud-native technology with containers as the core is gradually becoming themainstreamtechnical architecture for information infrastructure.However,malware attacks such as Doki and Symbiote threaten the container runtime’s security.Malware initiates various types of runtime anomalies based on process form(e.g.,modifying the process of a container,and opening the external ports).Fortunately,dynamic monitoring mechanisms have proven to be a feasible solution for verifying the trusted state of containers at runtime.Nevertheless,the current routine dynamic monitoring mechanisms for baseline data protection are still based on strong security assumptions.As a result,the existing dynamicmonitoringmechanismis still not practical enough.To ensure the trustworthiness of the baseline value data and,simultaneously,to achieve the integrity verification of the monitored process,we combine blockchain and trusted computing to propose a process integrity monitoring system named IPMS.Firstly,the hardware TPM 2.0 module is applied to construct a trusted security foundation for the integrity of the process code segment due to its tamper-proof feature.Then,design a new format for storing measurement logs,easily distinguishing files with the same name in different containers from log information.Meanwhile,the baseline value data is stored on the blockchain to avoidmalicious damage.Finally,trusted computing technology is used to perform fine-grained integrity measurement and remote attestation of processes in a container,detect abnormal containers in time and control them.We have implemented a prototype system and performed extensive simulation experiments to test and analyze the functionality and performance of the PIMS.Experimental results show that PIMS can accurately and efficiently detect tampered processes with only 3.57% performance loss to the container.

IDEA:A Utility-Enhanced Approach to Incomplete Data Stream Anonymization

The prevalence of missing values in the data streams collected in real environments makes them impossible to ignore in the privacy preservation of data streams.However,the development of most privacy preservation methods does not consider missing values.A few researches allow them to participate in data anonymization but introduce extra considerable information loss.To balance the utility and privacy preservation of incomplete data streams,we present a utility-enhanced approach for Incomplete Data strEam Anonymization(IDEA).In this approach,a slide-window-based processing framework is introduced to anonymize data streams continuously,in which each tuple can be output with clustering or anonymized clusters.We consider the dimensions of attribute and tuple as the similarity measurement,which enables the clustering between incomplete records and complete records and generates the cluster with minimal information loss.To avoid the missing value pollution,we propose a generalization method that is based on maybe match for generalizing incomplete data.The experiments conducted on real datasets show that the proposed approach can efficiently anonymize incomplete data streams while effectively preserving utility.