Network Traffic Analysis
Full inspection of network traffic
Prevasio intercepts and inspects all network traffic generated by containers, including HTTPS traffic.

SSL/TLS Inspection is enabled with a MITM proxy certificate being dynamically injected into and forcefully trusted by an analysed container.

Currently, Prevasio provides HTTPS interception on 10 most common Linux distributions, used by containers.

EXAMPLE

The following example demonstrates an interception of HTTP and HTTPS traffic in a container spawned from this Docker Hub image.
Vulnerability Scan
Identification of the vulnerable packages/libraries
By engaging Trivy Vulnerability Scanner from Aqua Security, Prevasio reports any packages found to be vulnerable to any known, previously reported exploits.

EXAMPLE

In the following example, the Docker Hub image️ contains critical vulnerabilities in 28 packages.
ML Scan
Machine Learning classifier of x32/x64 ELF executables
Any x32/x64 ELF executable file created during container image build and container runtime phases is scanned with Prevasio's ML model.

The model is trained on tens of thousands of malicious and bespoke files, based not only on static file characteristics, but also on the disassembled code and its sequence.

The model targets False Positive Rate of 0.001 (0.1%), resulting in 95.6% detection rate over the test set.

Using ML model for scanning allows to preserve detection of known malicious families, even if the samples were modified and recompiled. For example, multiple re-compilation of the Mirai bot with different configurations, such as C&C server, is still reliably covered by Prevasio's ML model.

EXAMPLE #1

Prevasio's ML classifier is able to detect malicious executable files within live Docker Hub container images, such as this one. This method is signatureless, and is based on ELF file's static characteristics, its entropy, and the sequence of its disassembled code.
EXAMPLE #2

In the following example, malicious container image is created dynamically in order to simulate an attack (see the contents of the Dockerfile here).

As the malicious executable is compiled from a modified source, its hash is not present at any file repository. The ML model was NOT trained on this file either. However, given the model was trained on similar samples, it is now capable to generically detect any unknown, previously unseen sample that still belongs to a known malware family.
Automated Pen-Test
Secure pen-testing of the services exposed by containers
While the Vulnerability Scan has an 'unfair' advantage by accessing the container's internals, an automated penetration test performed by Prevasio targets containers from the 'outside'.

By doing so, Prevasio simulates attackers' actions, first trying to fingerprint running services, and then engaging exploits against them.

In addition to that, the pen-test performs a brute-force attack against an identified service (such as SSH or MySQL), in order to find weak credentials that would allow the attackers to log in.

As the pen-test is performed in an isolated environment, it poses no risk to the production environment.

EXAMPLE

The following example demonstrates how the Automated Pen-Test has identified the type of FTP server running inside a container spawned from this Docker Hub image, then successfully brute-forced it and found the working credentials against it.
System Event Graph
Visual representation of system events, intercepted on kernel-level
Prevasio collects kernel-level system events within a running container:
  • File system events
  • Network events
  • Process lifecycle events
  • Kernel syscalls
  • User call events
These events are then correlated into a hierarchy, visually displayed in form of a force-directed graph. The graph allows to visually identify problematic containers and also quickly establish remote access points.

EXAMPLE

A massive event graph is generated for a docker container that connects to a bitcoin peer-to-peer network. Please note the geographic distribution of the nodes.

The Docker Hub image available at ️this link.
Copyright © 2020 All Rights Reserved by Prevasio Pty Ltd.