Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple initially mutable containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method also includes designating, by the hardware processor, a particular external command, from among external container commands stored in a database, as having a correspondence to an initial process, responsive to the initial process matching at least one respective process resulting from executing the particular external command.

Abstract: A computer-implemented method for determining container information associated with detected container mutation events is disclosed. The computer-implemented method includes: determining that a system call event to a host operating system includes a call to join a namespace and execute a parent process inside the namespace; determining that the namespace is associated with an existing container; responsive to determining that the namespace is associated with an existing container, determining that the system call event further includes a call to execute a child process inside the namespace; and responsive to determining that the system call event further includes a call to execute a child process inside the namespace: designating the child process as a mutation event to the existing container, and determining container information associated with the mutation event to the existing container. A corresponding computer system and computer program product are also disclosed.

Abstract: Methods and systems for verifying a resource definition include simulating an original resource definition to identify at least one change that is made to the original resource definition by a management service. A signature of a received resource definition is generated, omitting portions of the received resource definition that correspond to the at least one identified change. The signature of the received resource definition is compared to a signature of the original resource definition to find a match and to verify the received resource definition. The received resource definition is implemented, responsive to finding the match.

Abstract: A system for controlling access to cluster resources is provided. The system includes one or more processors; and memory operatively coupled to the one or more processors, wherein the one or more processors and the memory form a cluster of computer resources that includes an admission controller configured to receive requests and determine if the request is authorized, a request history database that stores the request information received by the admission controller from a plurality of users, a role design advisor that is configured to adjust permissions for the plurality of users based on a pattern of usage identified from the request history database, and an alert system that communicates an alert to an administrator that a request outside the pattern of requests for the user has been received by the admission controller, wherein the admission controller, request history database, and role design advisor control access to the cluster resources.

Abstract: A computer-implemented method for assessing latent security risks in Kubernetes clusters is provided including selecting a service account from a plurality of service accounts defined in namespaces of a cluster, binding a role to the selected service account based on predetermined role-binding data, and determining if the role meets at least one of a first, second, and third conditions based on predetermined role data defining permitted operations for roles, the first condition being that the role can receive secret tokens for pods within a namespace of the namespaces, the second condition being that the role can perform execution operation to other pods, and the third condition being that the role can create DaemonSet, Deployment, StatefulSet, and additional pods on the namespace.

Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple initially mutable containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method also includes designating, by the hardware processor, a particular external command, from among external container commands stored in a database, as having a correspondence to an initial process, responsive to the initial process matching at least one respective process resulting from executing the particular external command.

Abstract: A method is provided for determining command-to-process correspondence. The method includes identifying, by the hardware processor, initial processes resulting from executions of container immutability change events for each of multiple containers in a cluster, based on an execution time, a process identifier and a process group identifier for each of the container immutability change events. The method further includes checking, by the hardware processor, if an initial process from among the identified initial processes matches an entry in a database that stores external container commands and at least one respective process resulting from executing each of the external container commands.

Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.

Abstract: A computer-implemented method for assessing latent security risks in Kubernetes clusters is provided including selecting a service account from a plurality of service accounts defined in namespaces of a cluster, binding a role to the selected service account based on predetermined role-binding data, and determining if the role meets at least one of a first, second, and third conditions based on predetermined role data defining permitted operations for roles, the first condition being that the role can receive secret tokens for pods within a namespace of the namespaces, the second condition being that the role can perform execution operation to other pods, and the third condition being that the role can create DaemonSet, Deployment, StatefulSet, and additional pods on the namespace.

Abstract: A system for controlling access to cluster resources is provided. The system includes one or more processors; and memory operatively coupled to the one or more processors, wherein the one or more processors and the memory form a cluster of computer resources that includes an admission controller configured to receive requests and determine if the request is authorized, a request history database that stores the request information received by the admission controller from a plurality of users, a role design advisor that is configured to adjust permissions for the plurality of users based on a pattern of usage identified from the request history database, and an alert system that communicates an alert to an administrator that a request outside the pattern of requests for the user has been received by the admission controller, wherein the admission controller, request history database, and role design advisor control access to the cluster resources.

Abstract: One or more computer processors collect logs containing one or more admission requests associated with a new application installation in an empty namespace, wherein the empty namespace is a sandbox representative of a production environment. The one or more computer processors classify the one or more admission requests according to a set of conditions indicating respective levels of trust. The one or more computer processors create a set of candidates for signing containing admissions requests that are classified unsigned. The one or more computer processors generate a security policy for each candidate for signing in the set of candidates for signing.

Abstract: A computer-implemented method is provided for identifying words likely to be used in new combo-squatted domains of a target domain. The method includes selecting the target domain. The method further includes storing, in a memory device, a sequence of previously detected combo-squatted domains from period [t-W, t-1]. The sequence includes a set of words W. The method also includes obtaining trends associated with the target domain at time t. The method additionally includes obtaining, by a hardware processor responsive to the trends, a trend distribution associated with the target domain at time t. The method further includes ranking, by a likelihood, a set of words E that have been extracted from the trend distribution and are expected to be used in the future in the new combo-squatting domains, responsive to the set of words W.

Abstract: Methods and systems for verifying a resource definition include simulating an original resource definition to identify at least one change that is made to the original resource definition by a management service. A signature of a received resource definition is generated, omitting portions of the received resource definition that correspond to the at least one identified change. The signature of the received resource definition is compared to a signature of the original resource definition to find a match and to verify the received resource definition. The received resource definition is implemented, responsive to finding the match.

Abstract: A method for checking an integrity of an object to be deployed to a cluster is provided. The method detects a resource creation request. The method, responsive to the request being an initial resource creation request for the object, verifies the integrity of the object based on properties in the request to create a release secret in the cluster for a positive integrity verification result for the object. The release secret represents a specific deployment configuration of the object on the cluster. The method, responsive to the request being other than the initial resource request, checks if the request corresponds to the specific deployment configuration of the object by checking against the release secret in the cluster. The method, responsive to the request corresponding to a deployment of the object and the release secret being present in the cluster, creates a resource requested by the request in the cluster.

Abstract: A method for checking an integrity of an object to be deployed to a cluster is provided. The method detects a resource creation request. The method, responsive to the request being an initial resource creation request for the object, verifies the integrity of the object based on properties in the request to create a release secret in the cluster for a positive integrity verification result for the object. The release secret represents a specific deployment configuration of the object on the cluster. The method, responsive to the request being other than the initial resource request, checks if the request corresponds to the specific deployment configuration of the object by checking against the release secret in the cluster. The method, responsive to the request corresponding to a deployment of the object and the release secret being present in the cluster, creates a resource requested by the request in the cluster.

Abstract: A computer-implemented method is provided for identifying words likely to be used in new combo-squatted domains of a target domain. The method includes selecting the target domain. The method further includes storing, in a memory device, a sequence of previously detected combo-squatted domains from period [t-W, t-1]. The sequence includes a set of words W. The method also includes obtaining trends associated with the target domain at time t. The method additionally includes obtaining, by a hardware processor responsive to the trends, a trend distribution associated with the target domain at time t. The method further includes ranking, by a likelihood, a set of words E that have been extracted from the trend distribution and are expected to be used in the future in the new combo-squatting domains, responsive to the set of words W.

Abstract: A computer-implemented method for linking combo-squatting domains is provided. The method includes grouping domain names into nameserver groups based on a nameserver for each of the domains. Each of the domain names contain valued words. The method also includes splitting words in each domain name and generating a wordlist for each of the nameserver groups. The method further includes finding feature words among the nameserver groups, and extracting malicious domain names which contain the feature words in each of the nameserver groups. The method further includes outputting, for each of the nameserver groups, the malicious domain names and corresponding registrant identifying data based on the feature words.

Abstract: Methods and systems for detecting mutation events include collecting change event pattern counts from one or more processing nodes. Unintended change events are identified based on the collected change event pattern counts. A corrective action is performed for the unintended change events.

Abstract: A computer-implemented method includes generating one or more process trees based on one or more processes associated with one or more change events within a cluster computing system, performing mutation event detection by comparing a root of each of the one or more process trees with one or more external commands, and generating a mutation event report based on the comparison.

Abstract: A computer-implemented method includes generating one or more process trees based on one or more processes associated with one or more change events within a cluster computing system, performing mutation event detection by comparing a root of each of the one or more process trees with one or more external commands, and generating a mutation event report based on the comparison.