Arjun Chakraborty

Threat Detection on Kubernetes Logs Using GNN Embeddings (pdf, video)

Kubernetes (K8s) is a platform used for managing containerized applications. It has robust orchestration, scaling and load balancing capabilities. However, its complexity can make it a target for attackers.

This necessitates a need to focus on securing every aspect of the Kubernetes stack. For this purpose, Kubernetes audit logs are very useful. K8s audit logs record each activity that occurs in the cluster. It also adds metadata such as IP, user agent, etc. This can be then used to look for indicators of attack.

Our work introduces a novel GNN (Graph Neural network) based solution to K8s threat detection. We model a sequence of dependent events occurring within a K8s session as a graph and formulate the problem as a graph classification task. The embeddings generated from the graph classification task are then used downstream for anomaly detection.

We simulate some commonly used adversarial techniques and showcase how using GNN-based embeddings downstream can strengthen traditional rules-based threat detection techniques.

Our discussion covers dataset creation, graph modeling of K8s sessions, embedding extraction, application of the embeddings and finally, the adversarial simulation for testing.