УДК 004.056.53

Overview of the combined approach to protect microservice applications

Айтказин Аскар Мирсоветович – магистрант Казахстанско-Британского технического университета (Республика Казахстан, Алматы).

Кешильбаев Мади Ертайулы – магистрант Казахстанско-Британского технического университета (Республика Казахстан, Алматы).

Abstract: The rapid popularity rise of microservice architecture in recent years has revolutionized the way modern application are developed. Microservice architecture is a new architectural style where the system is broken down into smallest possible services each of which have single responsibility and are depended of each other. Despite offering number of benefits such as scalability, flexibility, reusability they also pose new security challenges. Service Mesh is one of the Security Design Solutions which gives control over the system. Nevertheless, service mesh itself is not perfect security solution which is vulnerable to various attacks which come from different planes. Intrusion Detection System is a common security solution in applications. It observes the system to detect if any malicious activity is present in the system. However, for improved security of the whole mircoservice architecture based application we propose the new combinational approach of these two security solutions. Proposed combinational approach enhances the application security significantly.

Аннотация: Быстрый рост популярности микросервисной архитектуры в последние годы произвел революцию в способах разработки современных приложений. Микросервисная архитектура — это новый архитектурный стиль, в котором система разбита на наименьшие возможные службы, каждая из которых несет единую ответственность и зависит друг от друга. Несмотря на ряд преимуществ, таких как масштабируемость, гибкость, возможность повторного использования, они также создают новые проблемы безопасности. Service Mesh — это одно из решений для обеспечения безопасности, которое дает контроль над системой. Тем не менее, сервисная сетка сама по себе не является идеальным решением для обеспечения безопасности, которое уязвимо для различных атак, исходящих из разных плоскостей. Система обнаружения вторжений является распространенным решением для обеспечения безопасности в приложениях. Он наблюдает за системой, чтобы определить, присутствует ли какая-либо вредоносная активность в системе. Однако для повышения безопасности всего приложения, основанного на микросервисной архитектуре, мы предлагаем новый комбинированный подход этих двух решений безопасности. Предлагаемый комбинированный подход значительно повышает безопасность приложений.

Keywords: microservices, service mesh, intrusion detection system, security, vulnerabilities.

Ключевые слова: микросервисы, сервисная сетка, система обнаружения вторжений, безопасность, уязвимости.

Introduction

The advancements in software development which now mainly focuses on the cloud systems has led to development of such paradigms as “Software-as-a-Service (SaaS)”, “Infrastructure-as-a-Service (IaaS)” which make use of a microservice architecture. Microservice architecture is a software development style which is gaining significantly more attention and rising in popularity in recent years [1]. Numerous fields are recognizing the benefits of the microservice application development and rapidly switching to it from the monolithic architecture. Along those fields are Internet of Things, Web applications, Smart Grids, and etc.

Microservice architecture offers several benefits over the traditional monolithic architecture with scalability, agility reliability being some of them [2]. Being quickly adopted by the leading companies around the world like Netflix this architectural style is being implemented with enthusiasm, becoming the new standard of the application development [3]. However, the new technologies always have their drawbacks. In case of the microservices, applications developed under this architecture pose new security issues which are yet to be addressed. The plain of cyberattacks increases as the microservice architecture introduces the breakdown of traditional monolithic application into multiple small independent services, it also increases the needs of protection to every of those services.

Microservice architecture has a wide landscape of threats which are suggested in [4]: hardware, cloud, communication, virtualization, service/application, and orchestration. All of the above are the main areas which should be focused to increase the protection of the application. If we focus on microservice specific threats there are: Service Discovery threats, Interned-based attacks, and Cascading Failure mentioned in [5].

The purpose of this paper is to look into the service mesh and service discovery threats. We will be overviewing the possible threats and examine best practices to protect the application from this threats. The rest of the paper is structured as follows: In the next section we provide the background, Section 3 we examine the threats, in Section 4 we look upon solutions, Section 5 presents our contribution and Section 6 concludes this paper.

Background

Microservice applications are made of multiple components which are called services. Each service is a separate application which serves only one business logic. Each service communicates with other services through an Application Programming Interface (API). Most of the modern applications use RESTful API to communicate [6]. Common way to run these services is through a containers in the cloud. Microservices are designed to be autonomous, reusable, easily scalable, replicable, and have loose coupling [7].

Application programming interfaces (APIs)-based network-based interprocess communication between application infrastructure services is handled by a flexible, low-latency infrastructure layer called a service mesh. A service mesh guarantees quick, dependable, and secure communication across containerized, often ephemeral application infrastructure services. Service discovery, load balancing, encryption, observability, traceability, authentication, authorization, and support for the circuit breaker design are just a few of the crucial features that the mesh offers [8]. In order to reduce this complexity, a service mesh adds an infrastructural layer in between microservices [9]. The data plane and the control plane are the two components that make up the service mesh. A number of intelligent proxies that have been deployed as sidecars make up the data plane. All network connection among the microservices is mediated and managed by these proxies. Additionally, they gather and compile data on all mesh traffic. The proxies are controlled and set up by the control plane to route traffic.

These service mesh characteristics: The phrase "load balancing" refers to the effective division of network traffic among the services. Access control and authentication: Service mesh may specify which services are permitted to connect to other services. Circuit breaking: to keep latency low To avoid overloads, service mesh rejects incoming requests. Fault Tolerance: Healthy service instances are used to achieve fault tolerance. Monitoring of all traffic: Metrics are recorded and all traffic is watched.

By identifying services and devices on a network, service discovery is a process that enables services to interact with one another [10]. Application services are quickly added and deleted in a microservice architecture. Service discovery has been developed to keep up with this. Client-side and server-side service discovery are the two options available. Client-side discovery informs clients about services and gives them the responsibility for load balancing. The load balancing is carried out by the server-side discovery itself.

Service Mesh Security Risks

Mesh security is undoubtedly a task of high importance. We can classify the possible attack vectors to the service mesh. They can appear at any point, for instance from the client who may impose threats of Cross-Site Scripting (XSS), Cross-Site Request Forgery (CSRF), and HTTP verb tempering [11].

Another vector of attacks can target the service discovery mechanism. It can impose potential threats of Registering malicious nodes in the application. This leads to compromising of service discovery. Additionally, disruption of service registry leads to denial of service.

Service Mesh Security Solutions

Multiple works have been conducted to secure microservice applications which includes solutions to service mesh in particular. In [13], authors propose the new idea of securing the service mesh. Authors implement the self-protecting service mesh using the adaptation assessment framework proposed in [14]. The framework is deployed as a service in container and database container is deployed as well as the database container. The threats have been identified with the SAC [15]. Authors in [16] conducted a study on architectural decision making on service mesh based microservice applications. Study presents the several protection methods for different threats. One of them is malicious ingress traffic. The proposed solution is Front Proxy usage such as NGINX Ingress Controller. In addition to that authors propose the API Keys usage and local key management. Furthermore, encryption based on the mutual TLS is discussed for authentication purposes.

Infrastructure to protect workflow execution is discussed in [17]. Proposed infrastructure ensures the data security at rest and while data transportation by making the framework to work exactly as the enforced policies intend. Other works provide security solutions for the microservices as a whole, containers which host those services and assess performance of the microservices.

Intrusion Detection System

Intrusion Detection Systems (IDS) is a system that continuously observes the application for suspicious activities or security breaches. It can significantly improve the security of the application by analyzing the data flowing through the network. It looks for patterns and signs of abnormal behavior. IDS works by a predefined set of rules and patterns. If any suspicious activity is detected it sends alerts to the system administrator in real-time. IDS usually works in two modes: Signature-based method: which relies on the database of signatures and detects malicious intrusion by comparing the activity with the signatures. Anomaly-based method: is used to detect unknown attacks. It uses machine learning and statistical analysis to build model of a trustful activities. Any activity which differs from the model is considered as a potential threat.

Efficient usage of IDS relies on the security policies enforced by the administrator. However, in combination with the service mesh anomaly-based IDS is a reliable solution. Service mesh collects considerable amount of data to analyze. Data set is collected by control plane through the data plane proxies. Table 1 presents the list of parameters to be collected for analysis.

Table 1. List of parameters.

Parameters	Description
cpu_usage	Average cpu usage over a specific period of time
memory_usage	Average memory usage over a specific period of time
sys_calls	Number of system calls made over a specific period of time
nmap_calls	Number of page fault exception occurred over a specific period of time
block_req	Number of block requests made over a specific period of time
file_access	Number of files opened over a specific period of time
page_faults	Number of page fault exception occurred over a specific period of time
PL_events	Number of Process Level events

The collected data is useful for Machine Learning training. Some proposed models of Machine Learning are Decision Trees and SMO. Others include LSTM (Long Short Term Memory Model) which is recurrent neural network (RNN).

Data collection step collects the data by the defined parameters. In the next step IDS analyzes the Data and updates profile. In case there are no deviations the it goes back to analysis of the new data. If deviation in data is present, it detects and classifies the attack. Therefore the attack database is updated as well. As the last step we alarm the administrator and other microservices around to protect the system.

Conclusions

The area of protecting state of the art methodologies and architectures of application development can be considered as an active research area. Both Service Mesh and Intrusion Detection Systems are already used as security solutions in microservice architecture. In this study we proposed combinational approach to secure a microservice architecture application. Using the metrics collected from the Service Mesh we are able to enhance work of the Intrusion Detection Systems.

Our current approach describes the system design for the combination of Service Mesh and Intrusion Detection System. In future, the proposed approach can be enhanced by the alteration of the collected data types. Another possible improvement is the exploration of different Machine Learning algorithms for improved data analysis and reaction to the anomalies in the system. We aim to compare the Machine Learning algorithms to detect the best approach for training anomaly detection as well as defining new policies from the gathered dataset in future works.

References

1. Thones, ”Microservices,” in IEEE Software, vol. 32, no. 1, pp. 116-116, Jan.-Feb. 2015, doi: 10.1109/MS.2015.11.
2. Huang, W. Zhuang, M. Sun, and H. Zhang, “Research and application of microservice in power grid dispatching control system,” in 2020 IEEE 4th Information Technology, Networking, Electronic and Automation Control Conference (ITNEC), vol. 1. IEEE, 2020, pp. 1895–1899.
3. Chandramouli, Z. Butcher et al., “Building secure microservices-based applications using service-mesh architecture,” NIST Special Publication,vol. 800, p. 204A, 2020.
4. Yarygina T, Bagge, AH (2018). Overcoming security challenges in microservice architecture. Proceedings of 2018 IEEE Symposium on Service-Oriented System Engineering (IEEE, Bamberg, Germany), pp 11-20. https://doi.org/10.1109/SOSE.2018.00011
5. Chandramouli, “Security strategies for microservices-based application systems,” National Institute of Standards and Technology, Aug. 2019. Available: http://dx.doi.org/10.6028/NIST.SP.800-204
6. Sill A (2016) The design and architecture of microservices. IEEE Cloud Computing 3(5):76-80. https://doi.org/10.1109/MCC.2016.111
7. Richardson C (2015) Building microservices: Using an API gateway. Available at https://www.nginx.com/blog/building-microservices-using-an-api-gateway/
8. Smith F, Garrett O (2018) What Is a Service Mesh? Available at https://www.nginx.com/blog/what-is-a-service-mesh/
9. R. S. Sedghpour and P. Townend, "Service Mesh and eBPF-Powered Microservices: A Survey and Future Directions," 2022 IEEE International Conference on Service-Oriented System Engineering (SOSE), Newark, CA, USA, 2022, pp. 176-184, doi: 10.1109/SOSE55356.2022.00027.
10. Middleware team (2023) What is Service Discovery? Complete guide. Available at https://middleware.io/blog/service-discovery/
11. Jain J (2015) HTTP verb tempering: Bypassing web authentication and authorization. Available at https://resources.infosecinstitute.com/http-verb-tempering-bypassing-webauthentication-and-authorization/
12. Google Cloud Guides. Anthos Service Mesh security best practices. Available at https://cloud.google.com/service-mesh/docs/security/anthos-service-mesh-security-best-practices#attack-vectors-and-security-risks
13. Alboqmi, S. Jahan and R. F. Gamble, "Toward Enabling Self-Protection in the Service Mesh of the Microservice Architecture," 2022 IEEE International Conference on Autonomic Computing and Self-Organizing Systems Companion (ACSOS-C), CA, USA, 2022, pp. 133-138, doi: 10.1109/ACSOSC56246.2022.00047.
14. Jahan, “An adaptation assessment framework for runtime security assurance case evolution,” Ph.D. dissertation, Dept. CS, Univ of Tulsa, Tulsa, OK, USA, 2021. Available at: https://www.proquest.com/docview/2637547876.
15. Jahan, A. Marshall and R. Gamble, "Self-adaptation strategies to maintain security assurance cases," 2018 IEEE 12th International Conference on Self-Adaptive and Self-Organizing Systems (SASO), pp. 180-185, 2018.
16. El Malki, Amine, and Uwe Zdun. “Guiding Architectural Decision Making on Service Mesh Based Microservice Architectures.” Software Architecture, Springer International Publishing, 2019, pp. 3–19. Crossref, doi:10.1007/978-3-030-29983-5_1.
17. Miller, P. Mérindol, A. Gallais and C. Pelsser, "Towards Secure and Leak-Free Workflows Using Microservice Isolation," 2021 IEEE 22nd International Conference on High Performance Switching and Routing (HPSR), Paris, France, 2021, pp. 1-5, doi: 10.1109/HPSR52026.2021.9481820.