Real-Time Kernel Behavioral Monitoring in Cloud-Native Systems
The frequency of notable data breaches in cloud native systems has increased over the past several years causing many problems for both large and small organizations. These systems have a very large attack surface associated with the use of many publicly-accessible APIs that can make differentiating between normal and malicious behavior difficult to classify. The nature of managing every aspect of cloud native systems is prone to misconfiguration errors, requiring the setting and auditing of thousands of parameters in enterprise systems. Successful data breaches require bad actors to remain undetected for long periods of time so that data exfiltration does not trigger intrusion protection controls. In this research, we recreate a realistic cloud native environment to emulate a data breach attack using common API misconfiguration mistakes. We then introduce a custom monitoring platform, SkyShark, created to collect system call data from the kernels in a Kubernetes cluster that is used to train machine learning models capable of differentiating normal from suspicious activity during emulated stealthy attacks.
This project delivers a real-time monitoring and alerting platform designed to detect API-based breaches in cloud-native environments. By leveraging machine learning and kernel-level observability, it baselines normal application behavior and identifies subtle deviations indicative of attacks. Built on a streaming architecture using NATS, OpenTelemetry, and Grafana, the system enables continuous analysis and visualization of runtime behaviors that traditional infrastructure-focused tools often overlook.
Team Members
Rebecca Moroz
rebecca.l.moroz@drexel.edu
Advisors
Brian Mitchell
bsm23@drexel.edu