@article{lin_tunde-onadele_gu_he_latapie_2022, title={SHIL: Self-Supervised Hybrid Learning for Security Attack Detection in Containerized Applications}, DOI={10.1109/ACSOS55765.2022.00022}, abstractNote={Container security has received much research attention recently. Previous work has proposed to apply various machine learning techniques to detect security attacks in containerized applications. On one hand, supervised machine learning schemes require sufficient labelled training data to achieve good attack detection accuracy. On the other hand, unsupervised machine learning methods are more practical by avoiding training data labelling requirements, but they often suffer from high false alarm rates. In this paper, we present SHIL, a self-supervised hybrid learning solution, which combines unsupervised and supervised learning methods to achieve high accuracy without requiring any manual data labelling. We have implemented a prototype of SHIL and conducted experiments over 41 real world security attacks in 28 commonly used server applications. Our experimental results show that SHIL can reduce false alarms by 39-91% compared to existing supervised or unsupervised machine learning schemes while achieving a higher or similar detection rate.}, journal={2022 IEEE INTERNATIONAL CONFERENCE ON AUTONOMIC COMPUTING AND SELF-ORGANIZING SYSTEMS (ACSOS 2022)}, author={Lin, Yuhang and Tunde-Onadele, Olufogorehan and Gu, Xiaohui and He, Jingzhu and Latapie, Hugo}, year={2022}, pages={41–50} }
 @article{tunde-onadele_lin_gu_he_2022, title={Understanding Software Security Vulnerabilities in Cloud Server Systems}, ISSN={["2373-3845"]}, DOI={10.1109/IC2E55432.2022.00033}, abstractNote={Cloud systems have been widely adopted by many real world production applications. Thus, security vulnerabilities in those cloud systems can cause serious widespread impact. Although previous intrusion detection systems can detect security attacks, understanding the underlying software defects that cause those security vulnerabilities is little studied. In this paper, we conduct a systematic study over 110 software security vulnera-bilities in 13 popular cloud server systems. To understand the underlying vulnerabilities, we answer the following questions: 1) what are the root causes of those security vulnerabilities? 2) what threat impact do those vulnerable code have? 3) how do developers patch those vulnerable code? Our results show that the vulnerable code of the studied security vulnerabilities comprise five common categories: 1) improper execution restrictions, 2) improper permission checks, 3) improper resource path-name checks, 4) improper sensitive data handling, and 5) improper synchronization handling. We further extract principal vulnerable code patterns from those common vulnerability categories.}, journal={2022 IEEE INTERNATIONAL CONFERENCE ON CLOUD ENGINEERING (IC2E 2022)}, author={Tunde-Onadele, Olufogorehan and Lin, Yuhang and Gu, Xiaohui and He, Jingzhu}, year={2022}, pages={245–252} }
 @article{lin_tunde-onadele_gu_2020, title={CDL: Classified Distributed Learning for Detecting Security Attacks in Containerized Applications}, ISSN={["1063-9527"]}, DOI={10.1145/3427228.3427236}, abstractNote={Containers have been widely adopted in production computing environments for its efficiency and low overhead of isolation. However, recent studies have shown that containerized applications are prone to various security attacks. Moreover, containerized applications are often highly dynamic and short-lived, which further exacerbates the problem. In this paper, we present CDL, a classified distributed learning framework to achieve efficient security attack detection for containerized applications. CDL integrates online application classification and anomaly detection to overcome the challenge of lacking sufficient training data for dynamic short-lived containers while considering diversified normal behaviors in different applications. We have implemented a prototype of CDL and evaluated it over 33 real world vulnerability attacks in 24 commonly used server applications. Our experimental results show that CDL can reduce the false positive rate from over 12% to 0.24% compared to traditional anomaly detection schemes without aggregating training data. By introducing application classification into container behavior learning, CDL can improve the detection rate from catching 20 attacks to 31 attacks before those attacks succeed. CDL is light-weight, which can complete application classification and anomaly detection for each data sample within a few milliseconds.}, journal={36TH ANNUAL COMPUTER SECURITY APPLICATIONS CONFERENCE (ACSAC 2020)}, author={Lin, Yuhang and Tunde-Onadele, Olufogorehan and Gu, Xiaohui}, year={2020}, pages={179–188} }
 @article{tunde-onadele_lin_he_gu_2020, title={Self-Patch: Beyond Patch Tuesday for Containerized Applications}, DOI={10.1109/ACSOS49614.2020.00022}, abstractNote={Containers have become increasingly popular in distributed computing environments. However, recent studies have shown that containerized applications are susceptible to various security attacks. Traditional periodically scheduled software update approaches not only become ineffective under dynamic container environments but also impose high overhead to containers. In this paper, we present Self-Patch, a new self-triggering patching framework for applications running inside containers. Self-Patch combines light-weight runtime attack detection and dynamic targeted patching to achieve more efficient and effective security protection for containerized applications. We evaluated our schemes over 31 real world vulnerability attacks in 23 commonly used server applications. Results show that Self-Patch can accurately detect and classify 81% of attacks and reduce patching overhead by up to 84%.}, journal={2020 IEEE INTERNATIONAL CONFERENCE ON AUTONOMIC COMPUTING AND SELF-ORGANIZING SYSTEMS (ACSOS 2020)}, author={Tunde-Onadele, Olufogorehan and Lin, Yuhang and He, Jingzhu and Gu, Xiaohui}, year={2020}, pages={21–27} }
 @article{tunde-onadele_he_dai_gu_2019, title={A Study on Container Vulnerability Exploit Detection}, ISSN={["2373-3845"]}, DOI={10.1109/IC2E.2019.00026}, abstractNote={Containers have become increasingly popular for deploying applications in cloud computing infrastructures. However, recent studies have shown that containers are prone to various security attacks. In this paper, we conduct a study on the effectiveness of various vulnerability detection schemes for containers. Specifically, we implement and evaluate a set of static and dynamic vulnerability attack detection schemes using 28 real world vulnerability exploits that widely exist in docker images. Our results show that the static vulnerability scanning scheme only detects 3 out of 28 tested vulnerabilities and dynamic anomaly detection schemes detect 22 vulnerability exploits. Combining static and dynamic schemes can further improve the detection rate to 86% (i.e., 24 out of 28 exploits). We also observe that the dynamic anomaly detection scheme can achieve more than 20 seconds lead time (i.e., a time window before attacks succeed) for a group of commonly seen attacks in containers that try to gain a shell and execute arbitrary code.}, journal={2019 IEEE INTERNATIONAL CONFERENCE ON CLOUD ENGINEERING (IC2E)}, author={Tunde-Onadele, Olufogorehan and He, Jingzhu and Dai, Ting and Gu, Xiaohui}, year={2019}, pages={121–127} }