Abstract: Provided is an eBPF-based hot patch engine device for protecting kernel vulnerabilities. The eBPF-based hot patch engine device comprises a container-aware code generating unit for generating a container-aware code for identifying a target container, to which a hot patch is attached; and a hot patch configuring unit for configuring an eBPF-based hot patch code for attaching a hot patch to the target container based on the container-aware code. Accordingly, it is possible to prevent attacks based on CVEs, which are known vulnerabilities for container systems, by hot patching kernel-related CVEs at runtime without rebooting and freezing.

Abstract: Provided is a dynamic security policy enforcement system for a container system. The dynamic security policy enforcement system comprises a policy management unit for generating and managing a security policy for a container based on a structured format including a set of rules of a predetermined condition; a policy enforcement unit for checking the set of rules when the container requests a system call, changing the security policy of the structured format into a code in a preset format, and transferring the policy changed into the code to a kernel space; and a policy operation decision unit for enforcing the policy received from the policy enforcement unit in the kernel space based on a policy enforcement program that hooks the system call and generating a return value for performing a predetermined operation.

Abstract: Provided is an on-device Android malware detection method based on an adaptive model through transfer learning, including: determining whether an application is malicious or unfavorable from a list of applications installed on a device; decompiling, in the device, an Android package (APK) of the application installed on the device; transmitting the determined list and the decompiled APK file to a server in order to generate a head model in the server and use the generated head model for the transfer learning with a base model; performing malware analysis in the device using a transfer learning model received from the server for an application newly installed on the device; and providing a malware analysis result to a user through the device as a result, and since the malware analysis is performed on the device, it is possible to ensure the availability and real-time performance of enabling analysis outside of a network range.

Abstract: Provided is a design method for sharing a profile in a container environment, including: extracting a sensitive context defined as information related to system-based access control or a sandboxing policy and an insensitive context defined as information unrelated to security for a profile provided by a developer; extracting the sensitive context and the insensitive context for the profile provided by a host; fetching a max configuration for the sensitive and insensitive contexts from each image layer of the developer; and generating a final profile that is applied to deploy the container by merging the host profile with the max configuration fetched from the developer profile. Accordingly, it is possible to provide an optimal environment to developers and hosts by generating the final profile with a hierarchical model using the host profile and the developer profile.

Abstract: Provided is a method of analyzing a container system call configuration error, including: profiling a set of trusted images that are uploaded to a public or private container image repository during initialization of a system or verified by a repository owner; identifying a custom service layer and known service layers based on the trusted image when a custom image is transmitted to the system; analyzing only the custom service layer by a system call extraction engine; and generating and optimizing a profile with an essential and non-malicious system call by scanning the custom service layer to remove a malicious program or a vulnerable system call. Accordingly, it is possible to reduce overhead by omitting re-analysis of known images in a container image scanning process.

Abstract: Provided is a docker image vulnerability inspection device, which extracts and classifies an instruction by analyzing a manifest file of a docker image, maps a file designated in the instruction to a plurality of classes, sets vulnerability of the file according to an extraction condition preset to each of the plurality of classes, and checks vulnerability of the file according to the vulnerability set to the file based on a CVE database prepared in advance.